packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ruby/backport-0001-CVE-2023-28756.patch
sxt1001 7ff1c26e50 fix CVE-2023-28755 CVE-2023-28756
2023-04-12 10:25:31 +08:00

29 lines
869 B
Diff
Raw Blame History

From b57db51f577875d3e896dcd2ef1dcaf97f23e943 Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Tue, 29 Nov 2022 16:22:15 +0900
Subject: [PATCH] Fix quadratic backtracking on invalid time
https://hackerone.com/reports/1485501
---
lib/time.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/time.rb b/lib/time.rb
index 43c4d80..2c85f94 100644
--- a/lib/time.rb
+++ b/lib/time.rb
@@ -509,8 +509,8 @@ class Time
(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
(\d{2,})\s+
(\d{2})\s*
- :\s*(\d{2})\s*
- (?::\s*(\d{2}))?\s+
+ :\s*(\d{2})
+ (?:\s*:\s*(\d{2}))?\s+
([+-]\d{4}|
UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
# Since RFC 2822 permit comments, the regexp has no right anchor.
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink