Do not raise error raised on CONNECT, fixes #1441 (#2932)

mrzasa · web-flow · commit 1b6b8adfaeb4 · 2022-09-13T08:27:26.000+09:00
diff --git a/lib/puma/const.rb b/lib/puma/const.rb
@@ -148,6 +148,14 @@ module Const
 
     REQUEST_METHOD = "REQUEST_METHOD".freeze
     HEAD = "HEAD".freeze
+    GET = "GET".freeze
+    POST = "POST".freeze
+    PUT = "PUT".freeze
+    DELETE = "DELETE".freeze
+    OPTIONS = "OPTIONS".freeze
+    TRACE = "TRACE".freeze
+    PATCH = "PATCH".freeze
+    SUPPORTED_HTTP_METHODS = [HEAD, GET, POST, PUT, DELETE, OPTIONS, TRACE, PATCH].freeze
     # ETag is based on the apache standard of hex mtime-size-inode (inode is 0 on win32)
     LINE_END = "\r\n".freeze
     REMOTE_ADDR = "REMOTE_ADDR".freeze
diff --git a/lib/puma/request.rb b/lib/puma/request.rb
@@ -73,8 +73,13 @@ def handle_request(client, lines, requests)
 
       begin
         begin
-          status, headers, res_body = @thread_pool.with_force_shutdown do
-            @app.call(env)
+          if SUPPORTED_HTTP_METHODS.include?(env[REQUEST_METHOD])
+            status, headers, res_body = @thread_pool.with_force_shutdown do
+              @app.call(env)
+            end
+          else
+            @log_writer.log "Unsupported HTTP method used: #{env[REQUEST_METHOD]}"
+            status, headers, res_body = [501, {}, ["#{env[REQUEST_METHOD]} method is not supported"]]
           end
 
           return :async if client.hijacked
@@ -271,14 +276,12 @@ def normalize_env(env, client)
         uri = URI.parse(env[REQUEST_URI])
         env[REQUEST_PATH] = uri.path
 
-        raise "No REQUEST PATH" unless env[REQUEST_PATH]
-
         # A nil env value will cause a LintError (and fatal errors elsewhere),
         # so only set the env value if there actually is a value.
         env[QUERY_STRING] = uri.query if uri.query
       end
 
-      env[PATH_INFO] = env[REQUEST_PATH]
+      env[PATH_INFO] = env[REQUEST_PATH].to_s # #to_s in case it's nil
 
       # From https://www.ietf.org/rfc/rfc3875 :
       # "Script authors should be aware that the REMOTE_ADDR and
diff --git a/test/test_web_server.rb b/test/test_web_server.rb
@@ -79,6 +79,20 @@ def test_file_streamed_request
     socket.close
   end
 
+  def test_unsupported_method
+    socket = do_test("CONNECT www.zedshaw.com:443 HTTP/1.1\r\nConnection: close\r\n\r\n", 100)
+    response = socket.read
+    assert_match "Not Implemented", response
+    socket.close
+  end
+
+  def test_nonexistent_method
+    socket = do_test("FOOBARBAZ www.zedshaw.com:443 HTTP/1.1\r\nConnection: close\r\n\r\n", 100)
+    response = socket.read
+    assert_match "Not Implemented", response
+    socket.close
+  end
+
   private
 
   def do_test(string, chunk)
