This patch restricts the characters accepted in ATTRIBUTE_CHAR,
forbidding control characters and fixing a ReDOS vulnerability.
--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
@@ -21,7 +21,7 @@
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
# Updated definitions from RFC 2231
- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
SECTION = /\*[0-9]+/
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
distrib
>
Mageia
>
9
>
armv7hl
>
media
>
core-release-src
>
by-pkgid
>
9bc5d30c641cf06495c12c8a786d6f4b
>
files
>
4
