rubygem-puma/CVE-2024-45614.patch

From f196b23be24712fb8fb16051cc124798cc84f70e Mon Sep 17 00:00:00 2001
From: Evan Phoenix <evan@phx.io>
Date: Wed, 18 Sep 2024 21:56:07 -0700
Subject: [PATCH] Merge commit from fork

Refer:
https://bugzilla.suse.com/attachment.cgi?id=877575
https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e

* Prevent underscores from clobbering hyphen headers

* Special case encoding headers to prevent app confusion

* Handle _ as , in jruby as well

* Silence RuboCop offense

---------

Co-authored-by: Patrik Ragnarsson <patrik@starkast.net>

---
 ext/puma_http11/org/jruby/puma/Http11.java |  2 ++
 lib/puma/const.rb                          |  5 +++++
 lib/puma/server.rb                         | 11 +++++++++--
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/ext/puma_http11/org/jruby/puma/Http11.java b/ext/puma_http11/org/jruby/puma/Http11.java
index 59dde37..25573ad 100644
--- a/ext/puma_http11/org/jruby/puma/Http11.java
+++ b/ext/puma_http11/org/jruby/puma/Http11.java
@@ -91,6 +91,8 @@ public class Http11 extends RubyObject {
                 for(int i = 0,j = b.length();i<j;i++) {
                     if((b.get(i) & 0xFF) == '-') {
                         b.set(i, (byte)'_');
+                    } else if((b.get(i) & 0xFF) == '_') {
+                        b.set(i, (byte)',');
                     } else {
                         b.set(i, (byte)Character.toUpperCase((char)b.get(i)));
                     }
diff --git a/lib/puma/const.rb b/lib/puma/const.rb
index 8b08ed0..3068add 100644
--- a/lib/puma/const.rb
+++ b/lib/puma/const.rb
@@ -235,5 +235,10 @@ module Puma
     HIJACK_IO = "rack.hijack_io".freeze
 
     EARLY_HINTS = "rack.early_hints".freeze
+
+    UNMASKABLE_HEADERS = {
+      "HTTP_TRANSFER,ENCODING" => true,
+      "HTTP_CONTENT,LENGTH" => true,
+    }
   end
 end
diff --git a/lib/puma/server.rb b/lib/puma/server.rb
index 7871c91..35b4099 100644
--- a/lib/puma/server.rb
+++ b/lib/puma/server.rb
@@ -681,23 +681,30 @@ module Puma
       to_add = nil
 
       env.each do |k,v|
-        if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
+        if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k)
           if to_delete
             to_delete << k
           else
             to_delete = [k]
           end
 
+          new_k = k.gsub(",", "_")
+          if env.key?(new_k)
+            next
+          end
+
           unless to_add
             to_add = {}
           end
 
-          to_add[k.gsub(",", "_")] = v
+          to_add[new_k] = v
         end
       end
 
       if to_delete
         to_delete.each { |k| env.delete(k) }
+      end
+      if to_add
         env.merge! to_add
       end
 
-- 
2.46.0