mirrors
/
rails
mirror of https://github.com/rails/rails
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix ReDoS in accept header scanning 

Thanks svalkanov for the patch!

[CVE-2024-26142]
This commit is contained in:
Aaron Patterson 2024-02-20 14:02:12 -08:00
parent 32587c3bdd
commit a3f3c3e5d6
No known key found for this signature in database
GPG Key ID: 953170BCB4FFAFC6
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
actionpack/lib/action_dispatch/http/mime_type.rb
View File

@ -157,7 +157,7 @@ module Mime
TRAILING_STAR_REGEXP = /^(text|application)\/\*/
# all media-type parameters need to be before the q-parameter
# https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
def register_callback(&block)
@ -197,7 +197,7 @@ module Mime
def parse(accept_header)
if !accept_header.include?(",")
if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
accept_header = accept_header[0, index]
accept_header = accept_header[0, index].strip
end
return [] if accept_header.blank?
parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))