File CVE-2020-5247.patch of Package rubygem-puma.15815

diff --git a/lib/puma/const.rb b/lib/puma/const.rb
--- a/lib/puma/const.rb
+++ b/lib/puma/const.rb
@@ -238,6 +238,7 @@
     COLON = ": ".freeze

     NEWLINE = "\n".freeze
+    HTTP_INJECTION_REGEX = /[\r\n]/.freeze

     HIJACK_P = "rack.hijack?".freeze
     HIJACK = "rack.hijack".freeze
diff --git a/lib/puma/server.rb b/lib/puma/server.rb
--- a/lib/puma/server.rb
+++ b/lib/puma/server.rb
@@ -640,6 +640,7 @@
         headers.each do |k, vs|
           case k.downcase
           when CONTENT_LENGTH2
+            next if possible_header_injection?(vs)
             content_length = vs
             next
           when TRANSFER_ENCODING
@@ -652,6 +653,7 @@
 
           if vs.respond_to?(:to_s)
             vs.to_s.split(NEWLINE).each do |v|
+              next if possible_header_injection?(v)
               lines.append k, colon, v, line_ending
             end
           else
@@ -895,5 +897,10 @@
       end
     end
     private :fast_write
+
+    def possible_header_injection?(header_value)
+      HTTP_INJECTION_REGEX =~ header_value.to_s
+    end
+    private :possible_header_injection?
   end
 end
Places

File CVE-2020-5247.patch of Package rubygem-puma.15815

Places
