5.6.2 (#2821)

* Ensure `close` is called on the response body no matter what

Another fallout from #2809 is that
in some cases the `res_body.close` wasn't called because some previous code
raised.

For Rails apps it means CurrentAttributes and a few other important
states aren't reset properly.

This is being improved on the Rails side too, but I believe it would
be good to harden this on the puma side as well.

* 5.6.2

Co-authored-by: Jean Boussier <jean.boussier@gmail.com>

History.md

@@ -1,3 +1,8 @@
+## 5.6.2 / 2022-02-11
+
+* Bugfix/Security
+  * Response body will always be `close`d. (GHSA-rmj8-8hhh-gv5h, related to [#2809])
+
 ## 5.6.1 / 2022-01-26
 
 * Bugfixes

lib/puma/const.rb

@@ -100,7 +100,7 @@ class UnsupportedOption < RuntimeError
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "5.6.1".freeze
+    PUMA_VERSION = VERSION = "5.6.2".freeze
     CODE_NAME = "Birdie's Version".freeze
 
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze

lib/puma/request.rb

@@ -167,11 +167,16 @@ def handle_request(client, lines, requests)
         end
 
       ensure
-        uncork_socket io
-
-        body.close
-        client.tempfile.unlink if client.tempfile
-        res_body.close if res_body.respond_to? :close
+        begin
+          uncork_socket io
+
+          body.close
+          client.tempfile.unlink if client.tempfile
+        ensure
+          # Whatever happens, we MUST call `close` on the response body.
+          # Otherwise Rack::BodyProxy callbacks may not fire and lead to various state leaks
+          res_body.close if res_body.respond_to? :close
+        end
 
         after_reply.each { |o| o.call }
       end