Fixing ReDoS in header parsing

Thanks svalkanov [CVE-2024-26146]
rack · Feb 21, 2024 · e4c1177 · e4c1177
1 parent f169ff7
commit e4c1177
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
@@ -142,8 +142,8 @@ def build_nested_query(value, prefix = nil)
     end
 
     def q_values(q_value_header)
-      q_value_header.to_s.split(/\s*,\s*/).map do |part|
-        value, parameters = part.split(/\s*;\s*/, 2)
+      q_value_header.to_s.split(',').map do |part|
+        value, parameters = part.split(';', 2).map(&:strip)
         quality = 1.0
         if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
           quality = md[1].to_f