Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fixed a Regexp that allows bad urls to DoS you. #206

Merged
merged 1 commit into from

2 participants

@brendan

One thing you need to know about Ruby's Regexp engine is that it handles the nesting of arbitrary-length patterns very poorly in cases where it needs to backtrack.

My patch changed this:
/\A(?:%[0-9a-fA-F]{2}|[^%]+)*\z/ =~ str

To this:
/\A(?:%[0-9a-fA-F]{2}|[^%])*\z/ =~ str

It is important because if str is something like "abcdefghijklmnopqrstuvwxyz1234567890%" you are going to be sitting around while the Regexp engine tries every possible friggin combination of matches before it gives up. By removing the variable length + off the [^%] it only has the option to grab one so no permutation cycling is necessary.

That's just how it is.

@raggi raggi merged commit 34f373f into rack:rack-1.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jul 13, 2011
  1. @brendan
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  lib/rack/backports/uri/common.rb
View
2  lib/rack/backports/uri/common.rb
@@ -64,7 +64,7 @@ def self.decode_www_form_component(str, enc=nil)
rescue
end
end
- raise ArgumentError, "invalid %-encoding (#{str})" unless /\A(?:%[0-9a-fA-F]{2}|[^%]+)*\z/ =~ str
+ raise ArgumentError, "invalid %-encoding (#{str})" unless /\A(?:%[0-9a-fA-F]{2}|[^%])*\z/ =~ str
str.gsub(/\+|%[0-9a-fA-F]{2}/) {|m| TBLDECWWWCOMP_[m]}
end
end
Something went wrong with that request. Please try again.