diff options
Diffstat (limited to 'www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch')
-rw-r--r-- | www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch b/www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch new file mode 100644 index 000000000000..673641a91627 --- /dev/null +++ b/www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch @@ -0,0 +1,115 @@ +From f3b409c565d67557c04ad37c10a42dd8cad0b655 Mon Sep 17 00:00:00 2001 +From: Evan Phoenix <evan@phx.io> +Date: Tue, 19 May 2020 15:20:10 -0700 +Subject: [PATCH] Reduce ambiguity of headers + +--- + ext/puma_http11/http11_parser.c | 4 +++- + ext/puma_http11/http11_parser.rl | 4 +++- + lib/puma/server.rb | 31 +++++++++++++++++++++++++++++++ + 3 files changed, 37 insertions(+), 2 deletions(-) + +diff --git a/ext/puma_http11/http11_parser.c b/ext/puma_http11/http11_parser.c +index 0b5fdabc3..bf1dd89ab 100644 +--- a/ext/puma_http11/http11_parser.c ++++ b/ext/puma_http11/http11_parser.c +@@ -14,12 +14,14 @@ + + /* + * capitalizes all lower-case ASCII characters, +- * converts dashes to underscores. ++ * converts dashes to underscores, and underscores to commas. + */ + static void snake_upcase_char(char *c) + { + if (*c >= 'a' && *c <= 'z') + *c &= ~0x20; ++ else if (*c == '_') ++ *c = ','; + else if (*c == '-') + *c = '_'; + } +diff --git a/ext/puma_http11/http11_parser.rl b/ext/puma_http11/http11_parser.rl +index 880c1d40b..62452ba7c 100644 +--- a/ext/puma_http11/http11_parser.rl ++++ b/ext/puma_http11/http11_parser.rl +@@ -12,12 +12,14 @@ + + /* + * capitalizes all lower-case ASCII characters, +- * converts dashes to underscores. ++ * converts dashes to underscores, and underscores to commas. + */ + static void snake_upcase_char(char *c) + { + if (*c >= 'a' && *c <= 'z') + *c &= ~0x20; ++ else if (*c == '_') ++ *c = ','; + else if (*c == '-') + *c = '_'; + } +diff --git a/lib/puma/server.rb b/lib/puma/server.rb +index b8e8a7b48..0e123687c 100644 +--- a/lib/puma/server.rb ++++ b/lib/puma/server.rb +@@ -672,6 +672,37 @@ def handle_request(req, lines) + } + end + ++ # Fixup any headers with , in the name to have _ now. We emit ++ # headers with , in them during the parse phase to avoid ambiguity ++ # with the - to _ conversion for critical headers. But here for ++ # compatibility, we'll convert them back. This code is written to ++ # avoid allocation in the common case (ie there are no headers ++ # with , in their names), that's why it has the extra conditionals. ++ ++ to_delete = nil ++ to_add = nil ++ ++ env.each do |k,v| ++ if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING" ++ if to_delete ++ to_delete << k ++ else ++ to_delete = [k] ++ end ++ ++ unless to_add ++ to_add = {} ++ end ++ ++ to_add[k.gsub(",", "_")] = v ++ end ++ end ++ ++ if to_delete ++ to_delete.each { |k| env.delete(k) } ++ env.merge! to_add ++ end ++ + # A rack extension. If the app writes #call'ables to this + # array, we will invoke them when the request is done. + # +From 6d87ed2101dab40e6aaa85b0df01433cfb84df53 Mon Sep 17 00:00:00 2001 +From: Evan Phoenix <evan@phx.io> +Date: Tue, 19 May 2020 15:34:06 -0700 +Subject: [PATCH] Adjust test to match real world value + +--- + test/test_puma_server.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/test_puma_server.rb b/test/test_puma_server.rb +index 75fcc22e8..a10490a71 100644 +--- a/test/test_puma_server.rb ++++ b/test/test_puma_server.rb +@@ -151,7 +151,7 @@ def test_default_server_port_respects_x_forwarded_proto + + req = Net::HTTP::Get.new("/") + req['HOST'] = "example.com" +- req['X_FORWARDED_PROTO'] = "https,http" ++ req['X-FORWARDED-PROTO'] = "https,http" + + res = Net::HTTP.start @host, @server.connected_port do |http| + http.request(req) |