diff options
| author | John Hawthorn <john@hawthorn.email> | 2022-08-03 00:19:56 -0700 |
|---|---|---|
| committer | Aaron Patterson <tenderlove@ruby-lang.org> | 2023-01-17 11:48:45 -0800 |
| commit | a493640cd89aec9c148bc9d22c5f938ca9ed0dfa (patch) | |
| tree | e2022c9c6b509ea3fd820b8c8f167ef95f5c32bf | |
| parent | 9a2f06e7c20ca89b9e12b305bbd21901bd106d1e (diff) | |
| download | rack-a493640cd89aec9c148bc9d22c5f938ca9ed0dfa.tar.gz | |
Forbid control characters in attributes
This commit restricts the characters accepted in ATTRIBUTE_CHAR,
forbidding control characters and fixing a ReDOS vulnerability.
This also now should fully follow the RFCs.
RFC 2231, Section 7 specifies:
attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
"*", "'", "%", or tspecials>
RFC 2045, Appendix A specifies:
tspecials := "(" / ")" / "<" / ">" / "@" /
"," / ";" / ":" / "\" / <">
"/" / "[" / "]" / "?" / "="
RFC 822, Section 3.3 specifies:
CTL = <any ASCII control ; ( 0- 37, 0.- 31.)
character and DEL> ; ( 177, 127.)
SPACE = <ASCII SP, space> ; ( 40, 32.)
[CVE-2022-44572]
| -rw-r--r-- | lib/rack/multipart/parser.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb index 480badaf..d624eba8 100644 --- a/lib/rack/multipart/parser.rb +++ b/lib/rack/multipart/parser.rb @@ -26,7 +26,7 @@ module Rack MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni # Updated definitions from RFC 2231 - ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]} + ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]} ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/ SECTION = /\*[0-9]+/ REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/ |