Skip to content

Commit

Permalink
4.3.9 (#2721)
Browse files Browse the repository at this point in the history 
* Fix HTTP request smuggling vulnerability

See GHSA-48w2-rm65-62xx or CVE-2021-41136 for more info.

* 4.3.9 release note

* 4.3.9
  • Loading branch information
@nateberkopec
nateberkopec authored Oct 12, 2021
1 parent b911c13 commit fb6ad8f
Show file tree
Hide file tree
Showing 6 changed files with 90 additions and 48 deletions.
5 changes: 5 additions & 0 deletions History.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## 4.3.9 / 2021-10-12

* Security
* Do not allow LF as a line ending in a header (CVE-2021-41136)

## 4.3.8 / 2021-05-11

* Security
Expand Down
31 changes: 19 additions & 12 deletions ext/puma_http11/http11_parser.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -428,10 +428,13 @@ case 17:
case 18:
#line 428 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 9: goto tr25;
case 13: goto tr26;
case 32: goto tr27;
}
goto tr25;
if ( 33 <= (*p) && (*p) <= 126 )
goto tr25;
goto st0;
tr25:
#line 44 "ext/puma_http11/http11_parser.rl"
{ MARK(mark, p); }
Expand All @@ -440,10 +443,14 @@ case 18:
if ( ++p == pe )
goto _test_eof19;
case 19:
#line 442 "ext/puma_http11/http11_parser.c"
if ( (*p) == 13 )
goto tr29;
goto st19;
#line 445 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 9: goto st19;
case 13: goto tr29;
}
if ( 32 <= (*p) && (*p) <= 126 )
goto st19;
goto st0;
tr9:
#line 51 "ext/puma_http11/http11_parser.rl"
{
Expand Down Expand Up @@ -486,7 +493,7 @@ case 19:
if ( ++p == pe )
goto _test_eof20;
case 20:
#line 488 "ext/puma_http11/http11_parser.c"
#line 495 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 32: goto tr31;
case 60: goto st0;
Expand All @@ -507,7 +514,7 @@ case 20:
if ( ++p == pe )
goto _test_eof21;
case 21:
#line 509 "ext/puma_http11/http11_parser.c"
#line 516 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 32: goto tr33;
case 60: goto st0;
Expand All @@ -528,7 +535,7 @@ case 21:
if ( ++p == pe )
goto _test_eof22;
case 22:
#line 530 "ext/puma_http11/http11_parser.c"
#line 537 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 43: goto st22;
case 58: goto st23;
Expand All @@ -553,7 +560,7 @@ case 22:
if ( ++p == pe )
goto _test_eof23;
case 23:
#line 555 "ext/puma_http11/http11_parser.c"
#line 562 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 32: goto tr8;
case 34: goto st0;
Expand All @@ -573,7 +580,7 @@ case 23:
if ( ++p == pe )
goto _test_eof24;
case 24:
#line 575 "ext/puma_http11/http11_parser.c"
#line 582 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 32: goto tr37;
case 34: goto st0;
Expand All @@ -596,7 +603,7 @@ case 24:
if ( ++p == pe )
goto _test_eof25;
case 25:
#line 598 "ext/puma_http11/http11_parser.c"
#line 605 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 32: goto tr41;
case 34: goto st0;
Expand All @@ -616,7 +623,7 @@ case 25:
if ( ++p == pe )
goto _test_eof26;
case 26:
#line 618 "ext/puma_http11/http11_parser.c"
#line 625 "ext/puma_http11/http11_parser.c"
switch( (*p) ) {
case 32: goto tr44;
case 34: goto st0;
Expand Down
2 changes: 1 addition & 1 deletion ext/puma_http11/http11_parser_common.rl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@

field_name = ( token -- ":" )+ >start_field $snake_upcase_field %write_field;

field_value = any* >start_value %write_value;
field_value = ( print | "\t" )* >start_value %write_value;

message_header = field_name ":" " "* field_value :> CRLF;

Expand Down
68 changes: 34 additions & 34 deletions ext/puma_http11/org/jruby/puma/Http11Parser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ private static short[] init__puma_parser_key_offsets_0()
{
return new short [] {
0, 0, 8, 17, 27, 29, 30, 31, 32, 33, 34, 36,
39, 41, 44, 45, 61, 62, 78, 80, 81, 89, 97, 107,
115, 124, 132, 140, 149, 158, 167, 176, 185, 194, 203, 212,
221, 230, 239, 248, 257, 266, 275, 284, 293, 302, 303
39, 41, 44, 45, 61, 62, 78, 83, 87, 95, 103, 113,
121, 130, 138, 146, 155, 164, 173, 182, 191, 200, 209, 218,
227, 236, 245, 254, 263, 272, 281, 290, 299, 308, 309
};
}

Expand All @@ -52,14 +52,13 @@ private static char[] init__puma_parser_trans_keys_0()
46, 48, 57, 48, 57, 13, 48, 57, 10, 13, 33, 124,
126, 35, 39, 42, 43, 45, 46, 48, 57, 65, 90, 94,
122, 10, 33, 58, 124, 126, 35, 39, 42, 43, 45, 46,
48, 57, 65, 90, 94, 122, 13, 32, 13, 32, 60, 62,
127, 0, 31, 34, 35, 32, 60, 62, 127, 0, 31, 34,
35, 43, 58, 45, 46, 48, 57, 65, 90, 97, 122, 32,
34, 35, 60, 62, 127, 0, 31, 32, 34, 35, 60, 62,
63, 127, 0, 31, 32, 34, 35, 60, 62, 127, 0, 31,
32, 34, 35, 60, 62, 127, 0, 31, 32, 36, 95, 45,
46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57,
65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32,
48, 57, 65, 90, 94, 122, 9, 13, 32, 33, 126, 9,
13, 32, 126, 32, 60, 62, 127, 0, 31, 34, 35, 32,
60, 62, 127, 0, 31, 34, 35, 43, 58, 45, 46, 48,
57, 65, 90, 97, 122, 32, 34, 35, 60, 62, 127, 0,
31, 32, 34, 35, 60, 62, 63, 127, 0, 31, 32, 34,
35, 60, 62, 127, 0, 31, 32, 34, 35, 60, 62, 127,
0, 31, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32,
36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45,
46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57,
65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32,
Expand All @@ -71,7 +70,8 @@ private static char[] init__puma_parser_trans_keys_0()
65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32,
36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45,
46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57,
65, 90, 32, 0
65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32,
36, 95, 45, 46, 48, 57, 65, 90, 32, 0
};
}

Expand All @@ -82,7 +82,7 @@ private static byte[] init__puma_parser_single_lengths_0()
{
return new byte [] {
0, 2, 3, 4, 2, 1, 1, 1, 1, 1, 0, 1,
0, 1, 1, 4, 1, 4, 2, 1, 4, 4, 2, 6,
0, 1, 1, 4, 1, 4, 3, 2, 4, 4, 2, 6,
7, 6, 6, 3, 3, 3, 3, 3, 3, 3, 3, 3,
3, 3, 3, 3, 3, 3, 3, 3, 3, 1, 0
};
Expand All @@ -95,7 +95,7 @@ private static byte[] init__puma_parser_range_lengths_0()
{
return new byte [] {
0, 3, 3, 3, 0, 0, 0, 0, 0, 0, 1, 1,
1, 1, 0, 6, 0, 6, 0, 0, 2, 2, 4, 1,
1, 1, 0, 6, 0, 6, 1, 1, 2, 2, 4, 1,
1, 1, 1, 3, 3, 3, 3, 3, 3, 3, 3, 3,
3, 3, 3, 3, 3, 3, 3, 3, 3, 0, 0
};
Expand All @@ -108,9 +108,9 @@ private static short[] init__puma_parser_index_offsets_0()
{
return new short [] {
0, 0, 6, 13, 21, 24, 26, 28, 30, 32, 34, 36,
39, 41, 44, 46, 57, 59, 70, 73, 75, 82, 89, 96,
104, 113, 121, 129, 136, 143, 150, 157, 164, 171, 178, 185,
192, 199, 206, 213, 220, 227, 234, 241, 248, 255, 257
39, 41, 44, 46, 57, 59, 70, 75, 79, 86, 93, 100,
108, 117, 125, 133, 140, 147, 154, 161, 168, 175, 182, 189,
196, 203, 210, 217, 224, 231, 238, 245, 252, 259, 261
};
}

Expand All @@ -125,23 +125,23 @@ private static byte[] init__puma_parser_indicies_0()
10, 1, 11, 1, 12, 1, 13, 1, 14, 1, 15, 1,
16, 15, 1, 17, 1, 18, 17, 1, 19, 1, 20, 21,
21, 21, 21, 21, 21, 21, 21, 21, 1, 22, 1, 23,
24, 23, 23, 23, 23, 23, 23, 23, 23, 1, 26, 27,
25, 29, 28, 30, 1, 1, 1, 1, 1, 31, 32, 1,
1, 1, 1, 1, 33, 34, 35, 34, 34, 34, 34, 1,
8, 1, 9, 1, 1, 1, 1, 35, 36, 1, 38, 1,
1, 39, 1, 1, 37, 40, 1, 42, 1, 1, 1, 1,
41, 43, 1, 45, 1, 1, 1, 1, 44, 2, 46, 46,
46, 46, 46, 1, 2, 47, 47, 47, 47, 47, 1, 2,
48, 48, 48, 48, 48, 1, 2, 49, 49, 49, 49, 49,
1, 2, 50, 50, 50, 50, 50, 1, 2, 51, 51, 51,
51, 51, 1, 2, 52, 52, 52, 52, 52, 1, 2, 53,
53, 53, 53, 53, 1, 2, 54, 54, 54, 54, 54, 1,
2, 55, 55, 55, 55, 55, 1, 2, 56, 56, 56, 56,
56, 1, 2, 57, 57, 57, 57, 57, 1, 2, 58, 58,
58, 58, 58, 1, 2, 59, 59, 59, 59, 59, 1, 2,
60, 60, 60, 60, 60, 1, 2, 61, 61, 61, 61, 61,
1, 2, 62, 62, 62, 62, 62, 1, 2, 63, 63, 63,
63, 63, 1, 2, 1, 1, 0
24, 23, 23, 23, 23, 23, 23, 23, 23, 1, 25, 26,
27, 25, 1, 28, 29, 28, 1, 30, 1, 1, 1, 1,
1, 31, 32, 1, 1, 1, 1, 1, 33, 34, 35, 34,
34, 34, 34, 1, 8, 1, 9, 1, 1, 1, 1, 35,
36, 1, 38, 1, 1, 39, 1, 1, 37, 40, 1, 42,
1, 1, 1, 1, 41, 43, 1, 45, 1, 1, 1, 1,
44, 2, 46, 46, 46, 46, 46, 1, 2, 47, 47, 47,
47, 47, 1, 2, 48, 48, 48, 48, 48, 1, 2, 49,
49, 49, 49, 49, 1, 2, 50, 50, 50, 50, 50, 1,
2, 51, 51, 51, 51, 51, 1, 2, 52, 52, 52, 52,
52, 1, 2, 53, 53, 53, 53, 53, 1, 2, 54, 54,
54, 54, 54, 1, 2, 55, 55, 55, 55, 55, 1, 2,
56, 56, 56, 56, 56, 1, 2, 57, 57, 57, 57, 57,
1, 2, 58, 58, 58, 58, 58, 1, 2, 59, 59, 59,
59, 59, 1, 2, 60, 60, 60, 60, 60, 1, 2, 61,
61, 61, 61, 61, 1, 2, 62, 62, 62, 62, 62, 1,
2, 63, 63, 63, 63, 63, 1, 2, 1, 1, 0
};
}

Expand Down
2 changes: 1 addition & 1 deletion lib/puma/const.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ class UnsupportedOption < RuntimeError
# too taxing on performance.
module Const

PUMA_VERSION = VERSION = "4.3.8".freeze
PUMA_VERSION = VERSION = "4.3.9".freeze
CODE_NAME = "Mysterious Traveller".freeze
PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze

Expand Down
30 changes: 30 additions & 0 deletions test/test_http11.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,4 +208,34 @@ def test_trims_whitespace_from_headers

assert_equal "Strip This", req["HTTP_X_STRIP_ME"]
end

def test_newline_smuggler
parser = Puma::HttpParser.new
req = {}
http = "GET / HTTP/1.1\r\nHost: localhost:8080\r\nDummy: x\nDummy2: y\r\n\r\n"

parser.execute(req, http, 0) rescue nil # We test the raise elsewhere.

assert parser.error?, "Parser SHOULD have error"
end

def test_newline_smuggler_two
parser = Puma::HttpParser.new
req = {}
http = "GET / HTTP/1.1\r\nHost: localhost:8080\r\nDummy: x\r\nDummy: y\nDummy2: z\r\n\r\n"

parser.execute(req, http, 0) rescue nil

assert parser.error?, "Parser SHOULD have error"
end

def test_htab_in_header_val
parser = Puma::HttpParser.new
req = {}
http = "GET / HTTP/1.1\r\nHost: localhost:8080\r\nDummy: Valid\tValue\r\n\r\n"

parser.execute(req, http, 0)

assert_equal "Valid\tValue", req['HTTP_DUMMY']
end
end

0 comments on commit fb6ad8f

Please sign in to comment.