Fix CVE-2024-45614

CVE-2024-45614.patch

@@ -0,0 +1,95 @@
+From f196b23be24712fb8fb16051cc124798cc84f70e Mon Sep 17 00:00:00 2001
+From: Evan Phoenix <evan@phx.io>
+Date: Wed, 18 Sep 2024 21:56:07 -0700
+Subject: [PATCH] Merge commit from fork
+
+Refer:
+https://bugzilla.suse.com/attachment.cgi?id=877575
+https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e
+
+* Prevent underscores from clobbering hyphen headers
+
+* Special case encoding headers to prevent app confusion
+
+* Handle _ as , in jruby as well
+
+* Silence RuboCop offense
+
+---------
+
+Co-authored-by: Patrik Ragnarsson <patrik@starkast.net>
+
+---
+ ext/puma_http11/org/jruby/puma/Http11.java |  2 ++
+ lib/puma/const.rb                          |  5 +++++
+ lib/puma/server.rb                         | 11 +++++++++--
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/ext/puma_http11/org/jruby/puma/Http11.java b/ext/puma_http11/org/jruby/puma/Http11.java
+index 59dde37..25573ad 100644
+--- a/ext/puma_http11/org/jruby/puma/Http11.java
++++ b/ext/puma_http11/org/jruby/puma/Http11.java
+@@ -91,6 +91,8 @@ public class Http11 extends RubyObject {
+                 for(int i = 0,j = b.length();i<j;i++) {
+                     if((b.get(i) & 0xFF) == '-') {
+                         b.set(i, (byte)'_');
++                    } else if((b.get(i) & 0xFF) == '_') {
++                        b.set(i, (byte)',');
+                     } else {
+                         b.set(i, (byte)Character.toUpperCase((char)b.get(i)));
+                     }
+diff --git a/lib/puma/const.rb b/lib/puma/const.rb
+index 8b08ed0..3068add 100644
+--- a/lib/puma/const.rb
++++ b/lib/puma/const.rb
+@@ -235,5 +235,10 @@ module Puma
+     HIJACK_IO = "rack.hijack_io".freeze
+ 
+     EARLY_HINTS = "rack.early_hints".freeze
++
++    UNMASKABLE_HEADERS = {
++      "HTTP_TRANSFER,ENCODING" => true,
++      "HTTP_CONTENT,LENGTH" => true,
++    }
+   end
+ end
+diff --git a/lib/puma/server.rb b/lib/puma/server.rb
+index 7871c91..35b4099 100644
+--- a/lib/puma/server.rb
++++ b/lib/puma/server.rb
+@@ -681,23 +681,30 @@ module Puma
+       to_add = nil
+ 
+       env.each do |k,v|
+-        if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
++        if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k)
+           if to_delete
+             to_delete << k
+           else
+             to_delete = [k]
+           end
+ 
++          new_k = k.gsub(",", "_")
++          if env.key?(new_k)
++            next
++          end
++
+           unless to_add
+             to_add = {}
+           end
+ 
+-          to_add[k.gsub(",", "_")] = v
++          to_add[new_k] = v
+         end
+       end
+ 
+       if to_delete
+         to_delete.each { |k| env.delete(k) }
++      end
++      if to_add
+         env.merge! to_add
+       end
+ 
+-- 
+2.46.0
+

rubygem-puma.spec

@@ -2,7 +2,7 @@
 %bcond_with ragel
 Name:                rubygem-%{gem_name}
 Version:             3.12.6
-Release:             3
+Release:             4
 Summary:             A simple, fast, threaded, and highly concurrent HTTP 1.1 server
 License:             BSD
 URL:                 http://puma.io
@@ -16,6 +16,7 @@ Patch1:              CVE-2021-29509.patch
 Patch2:              CVE-2021-41136.patch
 # https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
 Patch3:              CVE-2022-23634.patch
+Patch4:              CVE-2024-45614.patch
 
 BuildRequires:       openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack)
 BuildRequires:       rubygem(minitest)
@@ -40,6 +41,7 @@ Documentation for %{name}.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %if %{with ragel}
 rm -f ext/puma_http11/http11_parser.c
@@ -106,6 +108,9 @@ popd
 %{gem_instdir}/tools
 
 %changelog
+* Fri Sep 27 2024 wangkai <13474090681@163.com> - 3.12.6-4
+- Fix CVE-2024-45614
+
 * Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 3.12.6-3
 - Fix CVE-2021-41136 and CVE-2022-23634