rubygem-rack/Fix-CVE-2022-44572.patch

From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 3 Aug 2022 00:19:56 -0700
Subject: [PATCH] Forbid control characters in attributes

This commit restricts the characters accepted in ATTRIBUTE_CHAR,
forbidding control characters and fixing a ReDOS vulnerability.

This also now should fully follow the RFCs.

RFC 2231, Section 7 specifies:

    attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
                         "*", "'", "%", or tspecials>

RFC 2045, Appendix A specifies:

    tspecials :=  "(" / ")" / "<" / ">" / "@" /
                  "," / ";" / ":" / "\" / <">
                  "/" / "[" / "]" / "?" / "="

RFC 822, Section 3.3 specifies:

    CTL         =  <any ASCII control           ; (  0- 37,  0.- 31.)
                    character and DEL>          ; (    177,     127.)
    SPACE       =  <ASCII SP, space>            ; (     40,      32.)

[CVE-2022-44572]
---
 lib/rack/multipart.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
index 10f8e5fa..7695fe76 100644
--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
@@ -21,7 +21,7 @@ module Rack
     MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
     SECTION = /\*[0-9]+/
     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
-- 
2.25.1
Fix CVE-2022-44572 (cherry picked from commit b0d364e5deb9f05f2d8bd76afa365c7ee167ff7e) 2024-04-08 22:30:08 +08:00			`From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001`
			`From: John Hawthorn <john@hawthorn.email>`
			`Date: Wed, 3 Aug 2022 00:19:56 -0700`
			`Subject: [PATCH] Forbid control characters in attributes`

			`This commit restricts the characters accepted in ATTRIBUTE_CHAR,`
			`forbidding control characters and fixing a ReDOS vulnerability.`

			`This also now should fully follow the RFCs.`

			`RFC 2231, Section 7 specifies:`

			`attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,`
			`"*", "'", "%", or tspecials>`

			`RFC 2045, Appendix A specifies:`

			`tspecials := "(" / ")" / "<" / ">" / "@" /`
			`"," / ";" / ":" / "\" / <">`
			`"/" / "[" / "]" / "?" / "="`

			`RFC 822, Section 3.3 specifies:`

			`CTL = <any ASCII control ; ( 0- 37, 0.- 31.)`
			`character and DEL> ; ( 177, 127.)`
			`SPACE = <ASCII SP, space> ; ( 40, 32.)`

			`[CVE-2022-44572]`
			`---`
			`lib/rack/multipart.rb \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb`
			`index 10f8e5fa..7695fe76 100644`
			`--- a/lib/rack/multipart.rb`
			`+++ b/lib/rack/multipart.rb`
			`@@ -21,7 +21,7 @@ module Rack`
			`MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:];\sname=(#{VALUE})/ni`
			`MULTIPART_CONTENT_ID = /Content-ID:\s([^#{EOL}])/ni`
			`# Updated definitions from RFC 2231`
			`- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}`
			`+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}`
			`ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/`
			`SECTION = /\*[0-9]+/`
			`REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/`
			`--`
			`2.25.1`