Commits on Apr 28, 2023

1. Add Content-Disposition parameter parser …

   The ReDoS fix in ee25ab9 breaks valid
   requests, because colons are valid inside parameter values.  You cannot
   use a regexp scan and ensure correct behavior, since values inside
   parameters can be escaped.  Issues like this are the reason for the
   famous "now they have two problems" quote regarding regexps.
   
   Add a basic parser for parameters in Content-Disposition.  This parser
   is based purely on String#{index,slice!,[],==}, usually with string
   arguments for #index (though one case uses a simple regexp).  There
   are two loops (one nested in the other), but the use of slice! ensures
   that forward progress is always made on each loop iteration.
   
   In addition to fixing the bug introduced by the security fix, this
   removes multiple separate passes over the mime head, one pass to get
   the parameter name for Content-Disposition, and a separate pass to get
   the filename. It removes the get_filename method, though some of the
   code is kept in a smaller normalize_filename method.
   
   This removes 18 separate regexp contents that were previously used
   just for the separate parse to find the filename for the content
   disposition.
   
   Fixes rack#2076

   

   jeremyevans committed Apr 28, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for 645b5b4
   • Browse repository at this point

   Copy the full SHA

   645b5b4 View commit details

   Browse the repository at this point in the history