Merge pull request #1823 from ooooooo-q/fix/redos

fix ReDoS
sinatra · Oct 9, 2022 · 8ff496b · 8ff496b
2 parents b88c232 + 441c06a
commit 8ff496b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rack-protection/lib/rack/protection/ip_spoofing.rb b/rack-protection/lib/rack/protection/ip_spoofing.rb
@@ -16,7 +16,7 @@ class IPSpoofing < Base
       def accepts?(env)
         return true unless env.include? 'HTTP_X_FORWARDED_FOR'
 
-        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
+        ips = env['HTTP_X_FORWARDED_FOR'].split(',').map(&:strip)
         return false if env.include?('HTTP_CLIENT_IP') && (!ips.include? env['HTTP_CLIENT_IP'])
         return false if env.include?('HTTP_X_REAL_IP') && (!ips.include? env['HTTP_X_REAL_IP'])