Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
rubygem-puma
CVE-2024-45614.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2024-45614.patch of Package rubygem-puma
From cac3fd18cf29ed43719ff5d52d9cfec215f0a043 Mon Sep 17 00:00:00 2001 From: Evan Phoenix <evan@phx.io> Date: Wed, 18 Sep 2024 21:56:07 -0700 Subject: [PATCH] Merge commit from fork * Prevent underscores from clobbering hyphen headers * Special case encoding headers to prevent app confusion * Handle _ as , in jruby as well Co-authored-by: Patrik Ragnarsson <patrik@starkast.net> diff --git a/ext/puma_http11/org/jruby/puma/Http11.java b/ext/puma_http11/org/jruby/puma/Http11.java index 2a260a66..8fca5ebe 100644 --- a/ext/puma_http11/org/jruby/puma/Http11.java +++ b/ext/puma_http11/org/jruby/puma/Http11.java @@ -99,6 +99,8 @@ public class Http11 extends RubyObject { int bite = b.get(i) & 0xFF; if(bite == '-') { b.set(i, (byte)'_'); + } else if(bite == '_') { + b.set(i, (byte)','); } else { b.set(i, (byte)Character.toUpperCase(bite)); } diff --git a/lib/puma/const.rb b/lib/puma/const.rb index 2e9fcbd1..abb1ae00 100644 --- a/lib/puma/const.rb +++ b/lib/puma/const.rb @@ -241,5 +241,9 @@ module Puma # Mininum interval to checks worker health WORKER_CHECK_INTERVAL = 5 + UNMASKABLE_HEADERS = { + "HTTP_TRANSFER,ENCODING" => true, + "HTTP_CONTENT,LENGTH" => true, + } end end diff --git a/lib/puma/server.rb b/lib/puma/server.rb index 84515d7b..131a0d24 100644 --- a/lib/puma/server.rb +++ b/lib/puma/server.rb @@ -697,23 +697,30 @@ module Puma to_add = nil env.each do |k,v| - if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING" + if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k) if to_delete to_delete << k else to_delete = [k] end + new_k = k.tr(",", "_") + if env.key?(new_k) + next + end + unless to_add to_add = {} end - to_add[k.tr(",", "_")] = v + to_add[new_k] = v end end if to_delete to_delete.each { |k| env.delete(k) } + end + if to_add env.merge! to_add end
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor