Summary
module Rack
class MediaType
SPLIT_PATTERN = %r{\s*[;,]\s*}The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.
PoC
A simple HTTP request with lots of blank characters in the content-type header:
request["Content-Type"] = (" " * 50_000) + "a,"Impact
It's a very easy to craft ReDos. Like all ReDos the impact is debatable.
Summary
The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.
PoC
A simple HTTP request with lots of blank characters in the content-type header:
Impact
It's a very easy to craft ReDos. Like all ReDos the impact is debatable.