Merge branch '2-2-sec' into 2-2-stable

* 2-2-sec: bump version Avoid 2nd degree polynomial regexp in MediaType Return an empty array when ranges are too large Fixing ReDoS in header parsing
rack · Feb 21, 2024 · f7d40f9 · f7d40f9
2 parents fdb12cb + e830011
commit f7d40f9
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 7 deletions.
diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb
@@ -4,7 +4,7 @@ module Rack
   # Rack::MediaType parse media type and parameters out of content_type string
 
   class MediaType
-    SPLIT_PATTERN = %r{\s*[;,]\s*}
+    SPLIT_PATTERN = /[;,]/
 
     class << self
       # The media type (type/subtype) portion of the CONTENT_TYPE header
@@ -15,7 +15,11 @@ class << self
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
       def type(content_type)
         return nil unless content_type
-        content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase!
+        if type = content_type.split(SPLIT_PATTERN, 2).first
+          type.rstrip!
+          type.downcase!
+          type
+        end
       end
 
       # The media type parameters provided in CONTENT_TYPE as a Hash, or
@@ -27,9 +31,10 @@ def params(content_type)
         return {} if content_type.nil?
 
         content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
+          s.strip!
           k, v = s.split('=', 2)
-
-          hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
+          k.downcase!
+          hsh[k] = strip_doublequotes(v)
         end
       end
 

diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
@@ -142,8 +142,8 @@ def build_nested_query(value, prefix = nil)
     end
 
     def q_values(q_value_header)
-      q_value_header.to_s.split(/\s*,\s*/).map do |part|
-        value, parameters = part.split(/\s*;\s*/, 2)
+      q_value_header.to_s.split(',').map do |part|
+        value, parameters = part.split(';', 2).map(&:strip)
         quality = 1.0
         if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
           quality = md[1].to_f
@@ -380,6 +380,9 @@ def get_byte_ranges(http_range, size)
         end
         ranges << (r0..r1)  if r0 <= r1
       end
+
+      return [] if ranges.map(&:size).sum > size
+
       ranges
     end
 

diff --git a/lib/rack/version.rb b/lib/rack/version.rb
@@ -20,7 +20,7 @@ def self.version
     VERSION.join(".")
   end
 
-  RELEASE = "2.2.8"
+  RELEASE = "2.2.8.1"
 
   # Return the Rack release as a dotted string.
   def self.release

diff --git a/test/spec_utils.rb b/test/spec_utils.rb
@@ -590,6 +590,10 @@ def initialize(*)
 end
 
 describe Rack::Utils, "byte_range" do
+  it "returns an empty list if the sum of the ranges is too large" do
+    assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500)
+  end
+
   it "ignore missing or syntactically invalid byte ranges" do
     Rack::Utils.byte_ranges({}, 500).must_be_nil
     Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil