31 lines
890 B
Diff
31 lines
890 B
Diff
From e4c117749ba24a66f8ec5a08eddf68deeb425ccd Mon Sep 17 00:00:00 2001
|
|
From: Aaron Patterson <tenderlove@ruby-lang.org>
|
|
Date: Wed, 21 Feb 2024 11:05:06 -0800
|
|
Subject: [PATCH] Fixing ReDoS in header parsing
|
|
|
|
Thanks svalkanov
|
|
|
|
[CVE-2024-26146]
|
|
---
|
|
lib/rack/utils.rb | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
|
|
index c8e61ea1..0ed64b7a 100644
|
|
--- a/lib/rack/utils.rb
|
|
+++ b/lib/rack/utils.rb
|
|
@@ -142,8 +142,8 @@ module Rack
|
|
end
|
|
|
|
def q_values(q_value_header)
|
|
- q_value_header.to_s.split(/\s*,\s*/).map do |part|
|
|
- value, parameters = part.split(/\s*;\s*/, 2)
|
|
+ q_value_header.to_s.split(',').map do |part|
|
|
+ value, parameters = part.split(';', 2).map(&:strip)
|
|
quality = 1.0
|
|
if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
|
|
quality = md[1].to_f
|
|
--
|
|
2.25.1
|
|
|