39 lines
1.3 KiB
Diff
39 lines
1.3 KiB
Diff
From b1241f468d1b32235f438c2e2203386e6efd3891 Mon Sep 17 00:00:00 2001
|
|
From: John Hawthorn <john@hawthorn.email>
|
|
Date: Thu, 10 Oct 2024 20:41:33 -0700
|
|
Subject: [PATCH] Avoid backtracking in filtered_query_string
|
|
|
|
Thanks scyoon for the patch
|
|
|
|
CVE-2024-41128
|
|
---
|
|
.../lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++----
|
|
1 file changed, 9 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/actionpack/lib/action_dispatch/http/filter_parameters.rb b/actionpack/lib/action_dispatch/http/filter_parameters.rb
|
|
index d053fc0b9f781..0e2e771da104d 100644
|
|
--- a/actionpack/lib/action_dispatch/http/filter_parameters.rb
|
|
+++ b/actionpack/lib/action_dispatch/http/filter_parameters.rb
|
|
@@ -58,12 +58,17 @@ def parameter_filter_for(filters) # :doc:
|
|
ActiveSupport::ParameterFilter.new(filters)
|
|
end
|
|
|
|
- KV_RE = "[^&;=]+"
|
|
- PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
|
|
def filtered_query_string # :doc:
|
|
- query_string.gsub(PAIR_RE) do |_|
|
|
- parameter_filter.filter($1 => $2).first.join("=")
|
|
+ parts = query_string.split(/([&;])/)
|
|
+ filtered_parts = parts.map do |part|
|
|
+ if part.include?("=")
|
|
+ key, value = part.split("=", 2)
|
|
+ parameter_filter.filter(key => value).first.join("=")
|
|
+ else
|
|
+ part
|
|
+ end
|
|
end
|
|
+ filtered_parts.join("")
|
|
end
|
|
end
|
|
end
|