diff options
author | Aaron Patterson <tenderlove@ruby-lang.org> | 2023-01-17 12:04:37 -0800 |
---|---|---|
committer | Aaron Patterson <tenderlove@ruby-lang.org> | 2023-01-17 12:06:06 -0800 |
commit | 7a9d76a7850455a5ef9403203ea757ed110e7806 (patch) | |
tree | 33b4c7ca05594c1db94f9c0d0274d149e86d746f | |
parent | a493640cd89aec9c148bc9d22c5f938ca9ed0dfa (diff) | |
download | rack-7a9d76a7850455a5ef9403203ea757ed110e7806.tar.gz |
Fix ReDoS in Rack::Utils.get_byte_ranges
This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks
@ooooooo_q for the patch!
[CVE-2022-44570]
-rw-r--r-- | lib/rack/utils.rb | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb index 82597450..040bcef0 100644 --- a/lib/rack/utils.rb +++ b/lib/rack/utils.rb @@ -426,17 +426,18 @@ module Rack return nil unless http_range && http_range =~ /bytes=([^;]+)/ ranges = [] $1.split(/,\s*/).each do |range_spec| - return nil unless range_spec =~ /(\d*)-(\d*)/ - r0, r1 = $1, $2 - if r0.empty? - return nil if r1.empty? + return nil unless range_spec.include?('-') + range = range_spec.split('-') + r0, r1 = range[0], range[1] + if r0.nil? || r0.empty? + return nil if r1.nil? # suffix-byte-range-spec, represents trailing suffix of file r0 = size - r1.to_i r0 = 0 if r0 < 0 r1 = size - 1 else r0 = r0.to_i - if r1.empty? + if r1.nil? r1 = size - 1 else r1 = r1.to_i |