30 lines
1.2 KiB
Diff
30 lines
1.2 KiB
Diff
From f97d14a056c9b6ec6bf46d24e0c04b4893e78d41 Mon Sep 17 00:00:00 2001
|
|
From: Aaron Patterson <aaron@rubyonrails.org>
|
|
Date: Tue, 4 May 2021 15:49:21 -0700
|
|
Subject: [PATCH] Prevent slow regex when parsing host authorization header
|
|
|
|
The old regex could take too long when parsing an authorization header,
|
|
and this could potentially cause a DoS vulnerability
|
|
|
|
[CVE-2021-22904]
|
|
---
|
|
.../lib/action_controller/metal/http_authentication.rb | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
|
|
index 01676f3..d2e6674 100644
|
|
--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
|
|
+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
|
|
@@ -406,7 +406,7 @@ module ActionController
|
|
module Token
|
|
TOKEN_KEY = "token="
|
|
TOKEN_REGEX = /^(Token|Bearer)\s+/
|
|
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
|
|
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
|
|
extend self
|
|
|
|
module ControllerMethods
|
|
--
|
|
2.23.0
|
|
|