🚨 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma

Impact

Prior to puma version 5.5.0, using puma with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.

This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as "low". Puma is only aware of a single proxy server which has this behavior.

If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Patches

This vulnerability was patched in Puma 5.5.1 and 4.3.9.

Workarounds

This vulnerability only affects Puma installations without any proxy in front.

Use a proxy which does not forward LF characters as line endings.

Proxies which do not forward LF characters as line endings:

• Nginx
• Apache (>2.4.25)
• Haproxy
• Caddy
• Traefik

Possible Breakage

If you are dealing with legacy clients that want to send LF as a line ending in an HTTP header, this will cause those clients to receive a 400 error.

References

• HTTP Request Smuggling

🚨 Keepalive Connections Causing Denial Of Service in puma

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected
existing connections that had already been accepted from having their
requests starved by greedy persistent-connections saturating all threads in
the same process. However, new connections may still be starved by greedy
persistent-connections saturating all threads in all processes in the
cluster.

A puma server which received more concurrent keep-alive connections than the
server had threads in its threadpool would service only a subset of
connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when
using puma without a reverse proxy, such as nginx or apache, because you will
open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using
unsupported versions of Puma.

5.6.1

Bugfixes

• Reverted a commit which appeared to be causing occasional blank header values (see issue #2808) (#2809)

Full Changelog: v5.6.0...v5.6.1

5.6.0

Maintainer @nateberkopec had a daughter, nicknamed Birdie:

5.6.0 / 2022-01-25

• Features

  • Support localhost integration in ssl_bind ([#2764], [#2708])
  • Allow backlog parameter to be set with ssl_bind DSL ([#2780])
  • Remove yaml (psych) requirement in StateFile ([#2784])
  • Allow culling of oldest workers, previously was only youngest ([#2773], [#2794])
  • Add worker_check_interval configuration option ([#2759])
  • Always send lowlevel_error response to client ([#2731], [#2341])
  • Support for cert_pem and key_pem with ssl_bind DSL ([#2728])

• Bugfixes

  • Keep thread names under 15 characters, prevents breakage on some OSes ([#2733])
  • Fix two 'old-style-definition' compile warning ([#2807], [#2806])
  • Log environment correctly using option value ([#2799])
  • Fix warning from Ruby master (will be 3.2.0) ([#2785])
  • extconf.rb - fix openssl with old Windows builds ([#2757])
  • server.rb - rescue handling (Errno::EBADF) for @notify.close ([#2745])

• Refactor

  • server.rb - refactor code using @options[:remote_address] ([#2742])
  • [jruby] a couple refactorings - avoid copy-ing bytes ([#2730])

5.5.2

Re-allows UTF-8 in HTTP header values

5.5.1

GHSA-48w2-rm65-62xx

5.5.0

5.5.0 / 2021-09-19

Zawgyi (Burmese: ဇော်ဂျီ) is a semi-immortal human alchemist and mystic with supernatural powers and often seen with a magic stick and a red hat. Zawgyi is one of the supernatural figures in Burmese mythology and folklore. Name chosen by new (Myanma!) contributor @ye-lin-aung.

The headline feature of this release is a new integration with the localhost gem. Localhost takes care of creating a self-signed SSL certificate for you in development. Require it in your config.ru:

# Sinatra
require './app'
require 'localhost/authority'
run Sinatra::Application
# Rails 

require 'localhost/authority' if Rails.env.development?

run MyRailsApp::Application

... and in the development environment, Puma will use a self-signed SSL cert generated by Localhost if no other cert is provided.

• Features

  • Automatic SSL certificate provisioning for localhost, via localhost gem ([#2610], [#2257])
  • add support for the PROXY protocol (v1 only) ([#2654], [#2651])
  • Add a semantic CLI option for no config file ([#2689])

• Bugfixes

  • More elaborate exception handling - lets some dead pumas die. ([#2700], [#2699])
  • allow multiple after_worker_fork hooks ([#2690])
  • Preserve BUNDLE_APP_CONFIG on worker fork ([#2688], [#2687])

• Performance

  • Fix performance of server-side SSL connection close. ([#2675])

5.4.0

• Features

  • Better/expanded names for threadpool threads ([#2657])
  • Allow pkg_config for OpenSSL ([#2648], [#1412])
  • Add rack_url_scheme to Puma::DSL, allows setting of rack.url_scheme header ([#2586], [#2569])

• Bugfixes

  • Binder#parse - allow for symlinked unix path, add create_activated_fds debug ENV ([#2643], [#2638])
  • Fix deprecation warning: minissl.c - Use Random.bytes if available ([#2642])
  • Client certificates: set session id context while creating SSLContext ([#2633])

• Refactor

  • Replace IO.select with IO#wait_* when checking a single IO ([#2666])

5.3.2 (from changelog)

• Bugfixes
  • Gracefully handle Rack not accepting CLI options (#2630, #2626)
  • Fix sigterm misbehavior (#2629)
  • Improvements to keepalive-connection shedding (#2628)

5.3.1

• Security
  • Close keepalive connections after the maximum number of fast inlined requests (#2625)

5.3.0

5.3.0 / 2021-05-07

Contributor @MSP-Greg codenamed this release "Sweetnighter".

• Features

  • Add support for Linux's abstract sockets ([#2564], [#2526])
  • Add debug to worker timeout and startup ([#2559], [#2528])
  • Print warning when running one-worker cluster ([#2565], [#2534])
  • Don't close systemd activated socket on pumactl restart ([#2563], [#2504])

• Bugfixes

  • systemd - fix event firing ([#2591], [#2572])
  • Immediately unlink temporary files ([#2613])
  • Improve parsing of HTTP_HOST header ([#2605], [#2584])
  • Handle fatal error that has no backtrace ([#2607], [#2552])
  • Fix timing out requests too early ([#2606], [#2574])
  • Handle segfault in Ruby 2.6.6 on thread-locals ([#2567], [#2566])
  • Server#closed_socket? - parameter may be a MiniSSL::Socket ([#2596])
  • Define UNPACK_TCP_STATE_FROM_TCP_INFO in the right place ([#2588], [#2556])
  • request.rb - fix chunked assembly for ascii incompatible encodings, add test ([#2585], [#2583])

• Performance

  • Reset peerip only if remote_addr_header is set ([#2609])
  • Reduce puma_parser struct size ([#2590])

• Refactor

  • Refactor drain on shutdown ([#2600])
  • Micro optimisations in wait_for_less_busy_worker feature ([#2579])
  • Lots of test fixes

5.2.2 (from changelog)

• Bugfixes
  • Add #flush and #sync methods to Puma::NullIO (#2553)
  • Restore sync=true on STDOUT and STDERR streams (#2557)

5.2.1

2021-02-05

• Bugfixes
  • Fix TCP cork/uncork operations to work with ssl clients ([#2550])
  • Require rack/common_logger explicitly if :verbose is true ([#2547])
  • MiniSSL::Socket#write - use data.byteslice(wrote..-1) ([#2543])
  • Set @env[CONTENT_LENGTH] value as string. ([#2549])

5.2.0

• Features

  • 10x latency improvement for MRI on ssl connections by reducing overhead ([#2519])
  • Add option to specify the desired IO selector backend for libev ([#2522])
  • Add ability to set OpenSSL verification flags (MRI only) ([#2490])
  • Uses flush after writing messages to avoid mutating $stdout and $stderr using sync=true ([#2486])

• Bugfixes

  • MiniSSL - Update dhparam to 2048 bit for use with SSL_CTX_set_tmp_dh ([#2535])
  • Change 'Goodbye!' message to be output after listeners are closed ([#2529])
  • Fix ssl bind logging with 0.0.0.0 and localhost ([#2533])
  • Fix compiler warnings, but skipped warnings related to ragel state machine generated code ([#1953])
  • Fix phased restart errors related to nio4r gem when using the Puma control server ([#2516])
  • Add #string method to Puma::NullIO ([#2520])
  • Fix binding via Rack handler to IPv6 addresses ([#2521])

• Refactor

  • Refactor MiniSSL::Context on MRI, fix MiniSSL::Socket#write ([#2519])
  • Remove Server#read_body ([#2531])
  • Fail build if compiling extensions raises warnings on GH Actions, configurable via MAKE_WARNINGS_INTO_ERRORS ([#1953])

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

See the full diff on Github. The new version differs by 25 commits:

• Bump patch version.
• Remove guard from Gemfile.
• Fix incorrect return types. Fixes #275.
• Patch version bump.
• Allow usage of native extension by default.
• Don't try to link universal extension.
• Patch version bump.
• Suggest kqueue on OSX if >= 10.12.2
• Avoid requiring linux kernel headers to be present
• CI: Remove the macos-11.0 target, for now
• CHANGES.md: add v2.5.5
• Patch version bump.
• Be more explicit with why `pure?` is being used.
• Workaround for ARM-based macOS bundled Ruby
• Allow pure Ruby and Java NIO::Selector to be initialized with nil
• Declare linuxaio and io_uring experimental
• linuxaio is actually only supported on linux kernel 4.19+
• Define EV_USE_IOURING if header is present
• Patch libev and add support for linuxaio and io_uring
• Upgrade libev to verion 4.33
• Add ruby 3.0 to the README
• Add ruby 3.0 to the CI pipeline
• Actions - add MRI head/master for Ubuntu & macOS
• Update Actions workflow - OS changes & additions
• Fix javac -Xlint warnings

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)