Avoid ReDoS problem

tenderlove · tenderlove · commit 231ef369ad0b · 2023-03-13T11:03:33.000-07:00
Split headers on commas, then strip the strings in order to avoid ReDoS issues. [CVE-2023-27539]
diff --git a/lib/rack/request.rb b/lib/rack/request.rb
@@ -666,8 +666,8 @@ def wrap_ipv6(host)
       end
 
       def parse_http_accept_header(header)
-        header.to_s.split(/\s*,\s*/).map do |part|
-          attribute, parameters = part.split(/\s*;\s*/, 2)
+        header.to_s.split(",").each(&:strip!).map do |part|
+          attribute, parameters = part.split(";", 2).each(&:strip!)
           quality = 1.0
           if parameters and /\Aq=([\d.]+)/ =~ parameters
             quality = $1.to_f
