You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, normalize_env (in lib/puma/request.rb line 231) splits HTTP_HOST into SERVER_NAME and SERVER_PORT by finding the colon using String.index (if there is one.) This works fine for IPv4 addresses, but with IPv6 addresses this results in improperly split values being stored in SERVER_NAME and SERVER_PORT.
For example, an HTTP_HOST value of [::1]:9292 would result in SERVER_NAME being set to [ and SERVER_PORT being set to :1]:9292. Further up the stack, Rack catches this and panics.
Open a browser and navigate to the application using the IPv6 loopback address ([::1]:9292). I'd create a link, but GitHub seems to choke on the bracketing.
Alternatively, use curl:
curl 'http://[::1]:9292/'
I won't dump the entire HTML result in here, but you should receive a backtrace from Rack starting with:
Rack::Lint::LintError at /
env[SERVER_PORT] is not an Integer
Expected behavior
The "hello world" application above returns an empty response, so you should see nothing at all. Just a blank page. You can confirm this by replacing lib/puma/request.rb line 233:
ifcolon=host.index(":")
...with:
ifcolon=host.index(/:\d+$/)
Desktop (please complete the following information):
OS: macOS Big Sur (11.2.3)
Puma Version: 5.2.2, though I've confirmed the offending line still exists in HEAD.
The text was updated successfully, but these errors were encountered:
kaorihinata
changed the title
Naive parsing of HTTP_HOST in normalize_env breaks on IPv6 addresses.
Simple method of parsing HTTP_HOST in normalize_env breaks on IPv6 addresses.
Mar 26, 2021
* Improve parsing of HTTP_HOST header
IPV6 Host was not properly parsed.
#2584
* Extracted Regex to constant
* Incorporate feedback
IPV6 are bracketed but contain colons so I needed to adapt the logic to separate host/port.
Co-authored-by: pascal betz <pascal.betz@swisscom.com>
* Improve parsing of HTTP_HOST header
IPV6 Host was not properly parsed.
puma#2584
* Extracted Regex to constant
* Incorporate feedback
IPV6 are bracketed but contain colons so I needed to adapt the logic to separate host/port.
Co-authored-by: pascal betz <pascal.betz@swisscom.com>
Describe the bug
Currently,
normalize_env
(inlib/puma/request.rb
line231
) splitsHTTP_HOST
intoSERVER_NAME
andSERVER_PORT
by finding the colon usingString.index
(if there is one.) This works fine for IPv4 addresses, but with IPv6 addresses this results in improperly split values being stored inSERVER_NAME
andSERVER_PORT
.For example, an
HTTP_HOST
value of[::1]:9292
would result inSERVER_NAME
being set to[
andSERVER_PORT
being set to:1]:9292
. Further up the stack,Rack
catches this and panics.Puma config:
A "hello world"
config.ru
:...then just run
rackup
.To Reproduce
Open a browser and navigate to the application using the IPv6 loopback address ([::1]:9292). I'd create a link, but GitHub seems to choke on the bracketing.
Alternatively, use
curl
:curl 'http://[::1]:9292/'
I won't dump the entire HTML result in here, but you should receive a backtrace from
Rack
starting with:Expected behavior
The "hello world" application above returns an empty response, so you should see nothing at all. Just a blank page. You can confirm this by replacing
lib/puma/request.rb
line233
:...with:
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: