rubygem-actionpack/CVE-2023-22795.patch

From 484fc9185db6c6a6a49ab458b11f9366da02bab2 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Fri, 13 Jan 2023 15:54:40 -0800
Subject: [PATCH] Avoid regex backtracking on If-None-Match header

[CVE-2023-22795]
---
 actionpack/lib/action_dispatch/http/cache.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actionpack/lib/action_dispatch/http/cache.rb b/actionpack/lib/action_dispatch/http/cache.rb
index 9c46c5c8a4d81..d9d6f325342ea 100644
--- a/actionpack/lib/action_dispatch/http/cache.rb
+++ b/actionpack/lib/action_dispatch/http/cache.rb
@@ -18,7 +18,7 @@ def if_none_match
         end
 
         def if_none_match_etags
-          if_none_match ? if_none_match.split(/\s*,\s*/) : []
+          if_none_match ? if_none_match.split(",").each(&:strip!) : []
         end
 
         def not_modified?(modified_at)
Fix CVE-2023-22792 and CVE-2023-22795 2024-02-05 11:24:09 +08:00			`From 484fc9185db6c6a6a49ab458b11f9366da02bab2 Mon Sep 17 00:00:00 2001`
			`From: John Hawthorn <john@hawthorn.email>`
			`Date: Fri, 13 Jan 2023 15:54:40 -0800`
			`Subject: [PATCH] Avoid regex backtracking on If-None-Match header`

			`[CVE-2023-22795]`
			`---`
			`actionpack/lib/action_dispatch/http/cache.rb \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/actionpack/lib/action_dispatch/http/cache.rb b/actionpack/lib/action_dispatch/http/cache.rb`
			`index 9c46c5c8a4d81..d9d6f325342ea 100644`
			`--- a/actionpack/lib/action_dispatch/http/cache.rb`
			`+++ b/actionpack/lib/action_dispatch/http/cache.rb`
			`@@ -18,7 +18,7 @@ def if_none_match`
			`end`

			`def if_none_match_etags`
			`- if_none_match ? if_none_match.split(/\s,\s/) : []`
			`+ if_none_match ? if_none_match.split(",").each(&:strip!) : []`
			`end`

			`def not_modified?(modified_at)`