73cefa374b
Do not include the test case, as assert_linear_time was introduced in Ruby 2.7. Backported from: Ruby 2.7.8 Backported from the following commits:2cb830602fe3f18f7d2eResolves: CVE-2023-28756
42 lines
1.3 KiB
Diff
42 lines
1.3 KiB
Diff
From 71c37c29defeab2c98ad4291807efe12427a209f Mon Sep 17 00:00:00 2001
|
|
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
|
|
Date: Tue, 29 Nov 2022 16:22:15 +0900
|
|
Subject: [PATCH] Fix CVE-2023-28756 ReDoS vulnerability in Time.
|
|
|
|
Backported from: Ruby 2.7.8
|
|
Backported from the following commits:
|
|
https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f
|
|
https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a
|
|
|
|
Do not include the test case, as assert_linear_time was introduced in Ruby 2.7.
|
|
|
|
==== Original commit message(s)
|
|
|
|
Fix quadratic backtracking on invalid time
|
|
|
|
Make RFC2822 regexp linear
|
|
|
|
https://hackerone.com/reports/1485501
|
|
---
|
|
lib/time.rb | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/time.rb b/lib/time.rb
|
|
index eb46a03..cb6f1e4 100644
|
|
--- a/lib/time.rb
|
|
+++ b/lib/time.rb
|
|
@@ -474,8 +474,8 @@ class Time
|
|
(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
|
|
(\d{2,})\s+
|
|
(\d{2})\s*
|
|
- :\s*(\d{2})\s*
|
|
- (?::\s*(\d{2}))?\s+
|
|
+ :\s*(\d{2})
|
|
+ (?:\s*:\s*(\d\d))?\s+
|
|
([+-]\d{4}|
|
|
UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
|
|
# Since RFC 2822 permit comments, the regexp has no right anchor.
|
|
--
|
|
2.41.0
|
|
|