Fix ReDoS in Rack::Utils.get_byte_ranges

This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks @ooooooo_q for the patch! [CVE-2022-44570]
author: Aaron Patterson <tenderlove@ruby-lang.org> 2023-01-17 12:04:37 -0800
committer: Aaron Patterson <tenderlove@ruby-lang.org> 2023-01-17 12:06:06 -0800
commit: 7a9d76a7850455a5ef9403203ea757ed110e7806 (patch)
tree: 33b4c7ca05594c1db94f9c0d0274d149e86d746f
parent: a493640cd89aec9c148bc9d22c5f938ca9ed0dfa (diff)
download: rack-7a9d76a7850455a5ef9403203ea757ed110e7806.tar.gz
1 files changed, 6 insertions, 5 deletions
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
index 82597450..040bcef0 100644
--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
@@ -426,17 +426,18 @@ module Rack
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
       $1.split(/,\s*/).each do |range_spec|
-        return nil  unless range_spec =~ /(\d*)-(\d*)/
-        r0, r1 = $1, $2
-        if r0.empty?
-          return nil  if r1.empty?
+        return nil unless range_spec.include?('-')
+        range = range_spec.split('-')
+        r0, r1 = range[0], range[1]
+        if r0.nil? || r0.empty?
+          return nil if r1.nil?
           # suffix-byte-range-spec, represents trailing suffix of file
           r0 = size - r1.to_i
           r0 = 0  if r0 < 0
           r1 = size - 1
         else
           r0 = r0.to_i
-          if r1.empty?
+          if r1.nil?
             r1 = size - 1
           else
             r1 = r1.to_i
author	Aaron Patterson <tenderlove@ruby-lang.org>	2023-01-17 12:04:37 -0800
committer	Aaron Patterson <tenderlove@ruby-lang.org>	2023-01-17 12:06:06 -0800
commit	7a9d76a7850455a5ef9403203ea757ed110e7806 (patch)
tree	33b4c7ca05594c1db94f9c0d0274d149e86d746f
parent	a493640cd89aec9c148bc9d22c5f938ca9ed0dfa (diff)
download	rack-7a9d76a7850455a5ef9403203ea757ed110e7806.tar.gz