From 441c06a7eb1a5d59648806aa773f3a27fa89bc1e Mon Sep 17 00:00:00 2001
From: ooooooo_q <ooooooo-q@users.noreply.github.com>
Date: Sat, 8 Oct 2022 11:23:45 +0900
Subject: [PATCH] fix ReDoS

---
 rack-protection/lib/rack/protection/ip_spoofing.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rack-protection/lib/rack/protection/ip_spoofing.rb b/rack-protection/lib/rack/protection/ip_spoofing.rb
index a8799324..1e6812e5 100644
--- a/rack-protection/lib/rack/protection/ip_spoofing.rb
+++ b/rack-protection/lib/rack/protection/ip_spoofing.rb
@@ -16,7 +16,7 @@ module Rack
       def accepts?(env)
         return true unless env.include? 'HTTP_X_FORWARDED_FOR'
 
-        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
+        ips = env['HTTP_X_FORWARDED_FOR'].split(',').map(&:strip)
         return false if env.include?('HTTP_CLIENT_IP') && (!ips.include? env['HTTP_CLIENT_IP'])
         return false if env.include?('HTTP_X_REAL_IP') && (!ips.include? env['HTTP_X_REAL_IP'])