packages/rubygem-rack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rubygem-rack/CVE-2024-39316.patch

54 lines
1.6 KiB
Diff
Raw Permalink Normal View History

Fix CVE-2024-39316
2024-07-03 17:55:00 +08:00
From 412c980450ca729ee37f90a2661f166a9665e058 Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <dwi.siswanto98@gmail.com>
Date: Tue, 2 Jul 2024 11:29:28 +0700
Subject: [PATCH] Merge pull request from GHSA-cj83-2ww7-mvq7
* fix: ReDoS in the `parse_http_accept_header` method
Signed-off-by: Dwi Siswanto <git@dw1.io>
* fix: optimize HTTP Accept headers parsing
by:
* updated `parse_http_accept_header` method to
avoid unnecessary array allocation from `map`.
* used `strip!` to modify strings in place,
avoiding additional string allocations.
* plus, safe navigation for `parameters` to
handle nil cases.
this improves memory efficiency in header parsing.
Co-authored-by: Jeremy Evans <jeremyevans@users.noreply.github.com>
Signed-off-by: Dwi Siswanto <git@dw1.io>
---------
Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Jeremy Evans <jeremyevans@users.noreply.github.com>
---
lib/rack/request.rb | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/rack/request.rb b/lib/rack/request.rb
index b880b6ec..ccbd07da 100644
--- a/lib/rack/request.rb
+++ b/lib/rack/request.rb
@@ -642,8 +642,10 @@ module Rack
end
def parse_http_accept_header(header)
- header.to_s.split(/\s*,\s*/).map do |part|
- attribute, parameters = part.split(/\s*;\s*/, 2)
+ header.to_s.split(',').map do |part|
+ attribute, parameters = part.split(';', 2)
+ attribute.strip!
+ parameters&.strip!
quality = 1.0
if parameters and /\Aq=([\d.]+)/ =~ parameters
quality = $1.to_f
--
2.43.0.windows.1
Reference in New Issue Copy Permalink