master

分支 (21)

标签 (17)

管理

管理

master

openEuler-24.03-LTS

openEuler-20.03-LTS-SP4

openEuler-22.03-LTS-SP4

openEuler-22.03-LTS-SP3

openEuler-22.03-LTS-SP1

openEuler-22.03-LTS-Next

openEuler-24.03-LTS-Next

openEuler-24.09

openEuler-22.03-LTS

openEuler-22.03-LTS-SP2

openEuler-20.03-LTS-SP1

openEuler-23.09

openEuler-23.03

openEuler-22.09

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS-Next

openEuler-20.03-LTS-SP3

openEuler-21.03

openEuler-21.09

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

rubygem-actionpack
/
backport-CVE-2024-47887.patch

From 56b2fc3302836405b496e196a8d5fc0195e55049 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Thu, 10 Oct 2024 20:32:00 -0700
Subject: [PATCH] Avoid backtracking in Token#raw_params

Thanks to scyoon for the patch

[CVE-2024-47887]
---
 actionpack/lib/action_controller/metal/http_authentication.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 439ffd5c99490..e42791bbc23d8 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -506,7 +506,8 @@ def rewrite_param_values(array_params)
       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
+        _raw_params.reject!(&:empty?)

         if !_raw_params.first&.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"