gentoo-overlay/www-servers/puma/files/puma-3.12.5-cve-2020-11077.patch

From 089df0727ffab1b3b69f2e6da40597c52e346013 Mon Sep 17 00:00:00 2001
From: Evan Phoenix <evan@phx.io>
Date: Tue, 19 May 2020 15:20:10 -0700
Subject: [PATCH] Reduce ambiguity of headers

---
 ext/puma_http11/http11_parser.c  |  4 +++-
 ext/puma_http11/http11_parser.rl |  4 +++-
 lib/puma/server.rb               | 31 +++++++++++++++++++++++++++++++
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/ext/puma_http11/http11_parser.c b/ext/puma_http11/http11_parser.c
index 453f8cd40..e8844a37e 100644
--- a/ext/puma_http11/http11_parser.c
+++ b/ext/puma_http11/http11_parser.c
@@ -14,12 +14,14 @@
 
 /*
  * capitalizes all lower-case ASCII characters,
- * converts dashes to underscores.
+ * converts dashes to underscores, and underscores to commas.
  */
 static void snake_upcase_char(char *c)
 {
     if (*c >= 'a' && *c <= 'z')
       *c &= ~0x20;
+    else if (*c == '_')
+      *c = ',';
     else if (*c == '-')
       *c = '_';
 }
diff --git a/ext/puma_http11/http11_parser.rl b/ext/puma_http11/http11_parser.rl
index 880c1d40b..62452ba7c 100644
--- a/ext/puma_http11/http11_parser.rl
+++ b/ext/puma_http11/http11_parser.rl
@@ -12,12 +12,14 @@
 
 /*
  * capitalizes all lower-case ASCII characters,
- * converts dashes to underscores.
+ * converts dashes to underscores, and underscores to commas.
  */
 static void snake_upcase_char(char *c)
 {
     if (*c >= 'a' && *c <= 'z')
       *c &= ~0x20;
+    else if (*c == '_')
+      *c = ',';
     else if (*c == '-')
       *c = '_';
 }
diff --git a/lib/puma/server.rb b/lib/puma/server.rb
index d870b383f..5b2cd94df 100644
--- a/lib/puma/server.rb
+++ b/lib/puma/server.rb
@@ -665,6 +665,37 @@ def handle_request(req, lines)
         }
       end
 
+      # Fixup any headers with , in the name to have _ now. We emit
+      # headers with , in them during the parse phase to avoid ambiguity
+      # with the - to _ conversion for critical headers. But here for
+      # compatibility, we'll convert them back. This code is written to
+      # avoid allocation in the common case (ie there are no headers
+      # with , in their names), that's why it has the extra conditionals.
+
+      to_delete = nil
+      to_add = nil
+
+      env.each do |k,v|
+        if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
+          if to_delete
+            to_delete << k
+          else
+            to_delete = [k]
+          end
+
+          unless to_add
+            to_add = {}
+          end
+
+          to_add[k.gsub(",", "_")] = v
+        end
+      end
+
+      if to_delete
+        to_delete.each { |k| env.delete(k) }
+        env.merge! to_add
+      end
+
       # A rack extension. If the app writes #call'ables to this
       # array, we will invoke them when the request is done.
       #
From 0a3c09a0603857f088571d0eb69e0b9adee0fed1 Mon Sep 17 00:00:00 2001
From: Evan Phoenix <evan@phx.io>
Date: Tue, 19 May 2020 15:34:06 -0700
Subject: [PATCH] Adjust test to match real world value

---
 test/test_puma_server.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/test_puma_server.rb b/test/test_puma_server.rb
index 9d40cd5f3..375eca399 100644
--- a/test/test_puma_server.rb
+++ b/test/test_puma_server.rb
@@ -137,6 +137,7 @@ def test_default_server_port
 
     req = Net::HTTP::Get.new("/")
     req['HOST'] = "example.com"
+    req['X-FORWARDED-PROTO'] = "https,http"
 
     res = Net::HTTP.start @host, @server.connected_port do |http|
       http.request(req)