Avoid ReDoS problem

Split headers on commas, then strip the strings in order to avoid ReDoS issues. [CVE-2023-27539]
rack · Mar 13, 2023 · 231ef36 · 231ef36
1 parent e9e9ae6
commit 231ef36
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/rack/request.rb b/lib/rack/request.rb
@@ -666,8 +666,8 @@ def wrap_ipv6(host)
       end
 
       def parse_http_accept_header(header)
-        header.to_s.split(/\s*,\s*/).map do |part|
-          attribute, parameters = part.split(/\s*;\s*/, 2)
+        header.to_s.split(",").each(&:strip!).map do |part|
+          attribute, parameters = part.split(";", 2).each(&:strip!)
           quality = 1.0
           if parameters and /\Aq=([\d.]+)/ =~ parameters
             quality = $1.to_f