From c5b7622af70ae6ca26a4067840c52128206c2b3f Mon Sep 17 00:00:00 2001 From: ooooooo_q Date: Sun, 16 Apr 2023 21:17:37 +0900 Subject: [PATCH 1/2] fix ReDoS parse_header --- lib/webrick/httputils.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/webrick/httputils.rb b/lib/webrick/httputils.rb index d95147c..d82f95d 100644 --- a/lib/webrick/httputils.rb +++ b/lib/webrick/httputils.rb @@ -157,13 +157,13 @@ def parse_header(raw) field = nil raw.each_line{|line| case line - when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):\s*(.*?)\s*\z/om - field, value = $1, $2 + when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):(.*?)\z/om + field, value = $1, $2.strip field.downcase! header[field] = [] unless header.has_key?(field) header[field] << value - when /^\s+(.*?)\s*\z/om - value = $1 + when /^\s+(.*?)/om + value = line.strip unless field raise HTTPStatus::BadRequest, "bad header '#{line}'." end From 9e3224864876af9b75b8038545a7962d79995b46 Mon Sep 17 00:00:00 2001 From: ooooooo_q Date: Sun, 16 Apr 2023 23:41:58 +0900 Subject: [PATCH 2/2] fix ReDoS split_header_value --- lib/webrick/httputils.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/webrick/httputils.rb b/lib/webrick/httputils.rb index d82f95d..6b43146 100644 --- a/lib/webrick/httputils.rb +++ b/lib/webrick/httputils.rb @@ -183,7 +183,7 @@ def parse_header(raw) # Splits a header value +str+ according to HTTP specification. def split_header_value(str) - str.scan(%r'\G((?:"(?:\\.|[^"])+?"|[^",]+)+) + str.scan(%r'\G((?:"(?:\\.|[^"])+?"|[^",]++)+) (?:,\s*|\Z)'xn).flatten end module_function :split_header_value