Projects
Mega:24.03:SP1:Everything
rubygem-actionpack
_service:tar_scm:backport-CVE-2024-47887.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2024-47887.patch of Package rubygem-actionpack
From 56b2fc3302836405b496e196a8d5fc0195e55049 Mon Sep 17 00:00:00 2001 From: John Hawthorn <john@hawthorn.email> Date: Thu, 10 Oct 2024 20:32:00 -0700 Subject: [PATCH] Avoid backtracking in Token#raw_params Thanks to scyoon for the patch [CVE-2024-47887] --- actionpack/lib/action_controller/metal/http_authentication.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 439ffd5c99490..e42791bbc23d8 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -506,7 +506,8 @@ def rewrite_param_values(array_params) # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt> # delimiters defined in +AUTHN_PAIR_DELIMITERS+. def raw_params(auth) - _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/) + _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip) + _raw_params.reject!(&:empty?) if !_raw_params.first&.start_with?(TOKEN_KEY) _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2