kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Prevent slow regex when parsing host authorization header

Browse source 
The old regex could take too long when parsing an authorization header,
and this could potentially cause a DoS vulnerability

[CVE-2021-22904]
This commit is contained in:
Aaron Patterson 2021-05-04 15:49:21 -07:00
parent 55e0723846
commit eab8c20f3e
No known key found for this signature in database
GPG key ID: 953170BCB4FFAFC6
2 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
actionpack/lib/action_controller/metal/http_authentication.rb
View file

@ -407,7 +407,7 @@ module ActionController
module Token
TOKEN_KEY = "token="
TOKEN_REGEX = /^(Token|Bearer)\s+/
AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
extend self
module ControllerMethods

10
actionpack/test/controller/http_token_authentication_test.rb
View file

@ -88,6 +88,16 @@ class HttpTokenAuthenticationTest < ActionController::TestCase
assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
end
test "authentication request with evil header" do
@request.env["HTTP_AUTHORIZATION"] = "Token ." + " " * (1024*80-8) + "."
Timeout.timeout(1) do
get :index
end
assert_response :unauthorized
assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
end
test "successful authentication request with Bearer instead of Token" do
@request.env["HTTP_AUTHORIZATION"] = "Bearer lifo"
get :index