Do not raise error raised on CONNECT, fixes #1441 (#2932)

2022-11-09 13:48:40 -05:00 · 2022-09-13 01:27:26 +02:00 · 2022-09-13 01:27:26 +02:00 · 1b6b8adfae
commit 1b6b8adfae
parent 5dbb75ccbe
3 changed files with 30 additions and 5 deletions
--- a/lib/puma/const.rb
+++ b/lib/puma/const.rb
@ -148,6 +148,14 @@ module Puma

    REQUEST_METHOD = "REQUEST_METHOD".freeze
    HEAD = "HEAD".freeze
+    GET = "GET".freeze
+    POST = "POST".freeze
+    PUT = "PUT".freeze
+    DELETE = "DELETE".freeze
+    OPTIONS = "OPTIONS".freeze
+    TRACE = "TRACE".freeze
+    PATCH = "PATCH".freeze
+    SUPPORTED_HTTP_METHODS = [HEAD, GET, POST, PUT, DELETE, OPTIONS, TRACE, PATCH].freeze
    # ETag is based on the apache standard of hex mtime-size-inode (inode is 0 on win32)
    LINE_END = "\r\n".freeze
    REMOTE_ADDR = "REMOTE_ADDR".freeze
--- a/lib/puma/request.rb
+++ b/lib/puma/request.rb
@ -73,8 +73,13 @@ module Puma

      begin
        begin
-          status, headers, res_body = @thread_pool.with_force_shutdown do
-            @app.call(env)
+          if SUPPORTED_HTTP_METHODS.include?(env[REQUEST_METHOD])
+            status, headers, res_body = @thread_pool.with_force_shutdown do
+              @app.call(env)
+            end
+          else
+            @log_writer.log "Unsupported HTTP method used: #{env[REQUEST_METHOD]}"
+            status, headers, res_body = [501, {}, ["#{env[REQUEST_METHOD]} method is not supported"]]
          end

          return :async if client.hijacked
@ -271,14 +276,12 @@ module Puma
        uri = URI.parse(env[REQUEST_URI])
        env[REQUEST_PATH] = uri.path

-        raise "No REQUEST PATH" unless env[REQUEST_PATH]
-
        # A nil env value will cause a LintError (and fatal errors elsewhere),
        # so only set the env value if there actually is a value.
        env[QUERY_STRING] = uri.query if uri.query
      end

-      env[PATH_INFO] = env[REQUEST_PATH]
+      env[PATH_INFO] = env[REQUEST_PATH].to_s # #to_s in case it's nil

      # From https://www.ietf.org/rfc/rfc3875 :
      # "Script authors should be aware that the REMOTE_ADDR and
--- a/test/test_web_server.rb
+++ b/test/test_web_server.rb
@ -79,6 +79,20 @@ class WebServerTest < Minitest::Test
    socket.close
  end

+  def test_unsupported_method
+    socket = do_test("CONNECT www.zedshaw.com:443 HTTP/1.1\r\nConnection: close\r\n\r\n", 100)
+    response = socket.read
+    assert_match "Not Implemented", response
+    socket.close
+  end
+
+  def test_nonexistent_method
+    socket = do_test("FOOBARBAZ www.zedshaw.com:443 HTTP/1.1\r\nConnection: close\r\n\r\n", 100)
+    response = socket.read
+    assert_match "Not Implemented", response
+    socket.close
+  end
+
  private

  def do_test(string, chunk)