From 71c37c29defeab2c98ad4291807efe12427a209f Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Tue, 29 Nov 2022 16:22:15 +0900
Subject: [PATCH] Fix CVE-2023-28756 ReDoS vulnerability in Time.

Backported from: Ruby 2.7.8
Backported from the following commits:
https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f
https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a

Do not include the test case, as assert_linear_time was introduced in Ruby 2.7.

==== Original commit message(s)

Fix quadratic backtracking on invalid time

Make RFC2822 regexp linear

https://hackerone.com/reports/1485501
---
 lib/time.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/time.rb b/lib/time.rb
index eb46a03..cb6f1e4 100644
--- a/lib/time.rb
+++ b/lib/time.rb
@@ -474,8 +474,8 @@ class Time
           (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
           (\d{2,})\s+
           (\d{2})\s*
-          :\s*(\d{2})\s*
-          (?::\s*(\d{2}))?\s+
+          :\s*(\d{2})
+          (?:\s*:\s*(\d\d))?\s+
           ([+-]\d{4}|
            UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
         # Since RFC 2822 permit comments, the regexp has no right anchor.
-- 
2.41.0