File CVE-2024-45614.patch of Package rubygem-puma.35973
From cac3fd18cf29ed43719ff5d52d9cfec215f0a043 Mon Sep 17 00:00:00 2001
From: Evan Phoenix <evan@phx.io>
Date: Wed, 18 Sep 2024 21:56:07 -0700
Subject: [PATCH] Merge commit from fork
* Prevent underscores from clobbering hyphen headers
* Special case encoding headers to prevent app confusion
* Handle _ as , in jruby as well
Co-authored-by: Patrik Ragnarsson <patrik@starkast.net>
diff --git a/ext/puma_http11/org/jruby/puma/Http11.java b/ext/puma_http11/org/jruby/puma/Http11.java
index 2a260a66..8fca5ebe 100644
--- a/ext/puma_http11/org/jruby/puma/Http11.java
+++ b/ext/puma_http11/org/jruby/puma/Http11.java
@@ -99,6 +99,8 @@ public class Http11 extends RubyObject {
int bite = b.get(i) & 0xFF;
if(bite == '-') {
b.set(i, (byte)'_');
+ } else if(bite == '_') {
+ b.set(i, (byte)',');
} else {
b.set(i, (byte)Character.toUpperCase(bite));
}
diff --git a/lib/puma/const.rb b/lib/puma/const.rb
index 2e9fcbd1..abb1ae00 100644
--- a/lib/puma/const.rb
+++ b/lib/puma/const.rb
@@ -241,5 +241,9 @@ module Puma
# Mininum interval to checks worker health
WORKER_CHECK_INTERVAL = 5
+ UNMASKABLE_HEADERS = {
+ "HTTP_TRANSFER,ENCODING" => true,
+ "HTTP_CONTENT,LENGTH" => true,
+ }
end
end
diff --git a/lib/puma/server.rb b/lib/puma/server.rb
index 84515d7b..131a0d24 100644
--- a/lib/puma/server.rb
+++ b/lib/puma/server.rb
@@ -697,23 +697,30 @@ module Puma
to_add = nil
env.each do |k,v|
- if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
+ if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k)
if to_delete
to_delete << k
else
to_delete = [k]
end
+ new_k = k.tr(",", "_")
+ if env.key?(new_k)
+ next
+ end
+
unless to_add
to_add = {}
end
- to_add[k.tr(",", "_")] = v
+ to_add[new_k] = v
end
end
if to_delete
to_delete.each { |k| env.delete(k) }
+ end
+ if to_add
env.merge! to_add
end
