fix CVE-2023-28755 CVE-2023-28756

(cherry picked from commit a011562aeb90e070502a2e6a677c9fa105395897)
2023-04-11 11:25:50 +08:00 · 2023-04-11 11:25:50 +08:00 · 0a21f35a34
commit 0a21f35a34
parent 3c32953d61
7 changed files with 202 additions and 1 deletions
--- a/backport-0001-CVE-2023-28755.patch
+++ b/backport-0001-CVE-2023-28755.patch
@ -0,0 +1,35 @@
 From c92e40e871b8bc076ee039c428f8d176125265f9 Mon Sep 17 00:00:00 2001
 From: Nobuyoshi Nakada <nobu@ruby-lang.org>
 Date: Mon, 10 Jan 2022 01:12:57 +0900
 Subject: [PATCH 2/5] Test for quadratic backtracking on invalid URI
 https://hackerone.com/reports/1444501
 ---
 test/uri/test_common.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/test/uri/test_common.rb b/test/uri/test_common.rb
 index 1afa35f..2b877c1 100644
 --- a/test/uri/test_common.rb
 +++ b/test/uri/test_common.rb
@@ -56,6 +56,17 @@ class TestCommon < Test::Unit::TestCase
     assert_raise(NoMethodError) { Object.new.URI("http://www.ruby-lang.org/") }
   end
 +  def test_parse_timeout
 +    pre = ->(n) {
 +      'https://example.com/dir/' + 'a' * (n * 100) + '/##.jpg'
 +    }
 +    assert_linear_performance((1..10).map {|i| i * 100}, pre: pre) do |uri|
 +      assert_raise(URI::InvalidURIError) do
 +        URI.parse(uri)
 +      end
 +    end
 +  end
 +
   def test_encode_www_form_component
     assert_equal("%00+%21%22%23%24%25%26%27%28%29*%2B%2C-.%2F09%3A%3B%3C%3D%3E%3F%40" \
                  "AZ%5B%5C%5D%5E_%60az%7B%7C%7D%7E",
 -- 
 2.33.0
--- a/backport-0001-CVE-2023-28756.patch
+++ b/backport-0001-CVE-2023-28756.patch
@ -0,0 +1,33 @@
 From f994e267519215d51fa762e3114f1019dd8e2722 Mon Sep 17 00:00:00 2001
 From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
 Date: Fri, 24 Mar 2023 17:11:36 +0900
 Subject: [PATCH 1/5] Test for quadratic backtracking on invalid time
 https://hackerone.com/reports/1485501
 ---
 test/test_time.rb | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/test/test_time.rb b/test/test_time.rb
 index ca20788..4f11048 100644
 --- a/test/test_time.rb
 +++ b/test/test_time.rb
@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc:
     assert_equal(true, t.utc?)
   end
 +  def test_rfc2822_nonlinear
 +    pre = ->(n) {"0 Feb 00 00 :00" + " " * n}
 +    assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s|
 +      assert_raise(ArgumentError) do
 +        Time.rfc2822(s)
 +      end
 +    end
 +  end
 +
   def test_encode_rfc2822
     t = Time.utc(1)
     assert_equal("Mon, 01 Jan 0001 00:00:00 -0000", t.rfc2822)
 -- 
 2.33.0
--- a/backport-0002-CVE-2023-28755.patch
+++ b/backport-0002-CVE-2023-28755.patch
@ -0,0 +1,28 @@
 From d8b9a843d04b2410f21a59e68c50d5553eedccf6 Mon Sep 17 00:00:00 2001
 From: Nobuyoshi Nakada <nobu@ruby-lang.org>
 Date: Mon, 10 Jan 2022 01:12:57 +0900
 Subject: [PATCH 3/5] Fix quadratic backtracking on invalid URI
 https://hackerone.com/reports/1444501
 ---
 lib/uri/rfc3986_parser.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb
 index 75fd5b1..145d845 100644
 --- a/lib/uri/rfc3986_parser.rb
 +++ b/lib/uri/rfc3986_parser.rb
@@ -3,8 +3,8 @@ module URI
   class RFC3986_Parser # :nodoc:
     # URI defined in RFC3986
     # this regexp is modified not to host is not empty string
 -    RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
 -    RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
 +    RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*+):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/
 +    RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/
     attr_reader :regexp
     def initialize
 -- 
 2.33.0
--- a/backport-0002-CVE-2023-28756.patch
+++ b/backport-0002-CVE-2023-28756.patch
@ -0,0 +1,28 @@
 From 3765d119ca03db067f9cd292752389983e2821eb Mon Sep 17 00:00:00 2001
 From: Nobuyoshi Nakada <nobu@ruby-lang.org>
 Date: Tue, 29 Nov 2022 16:22:15 +0900
 Subject: [PATCH 2/5] Fix quadratic backtracking on invalid time
 https://hackerone.com/reports/1485501
 ---
 lib/time.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/time.rb b/lib/time.rb
 index 625c2c8..ac17410 100644
 --- a/lib/time.rb
 +++ b/lib/time.rb
@@ -506,8 +506,8 @@ class Time
           (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
           (\d{2,})\s+
           (\d{2})\s*
 -          :\s*(\d{2})\s*
 -          (?::\s*(\d{2}))?\s+
 +          :\s*(\d{2})
 +          (?:\s*:\s*(\d{2}))?\s+
           ([+-]\d{4}|
            UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
         # Since RFC 2822 permit comments, the regexp has no right anchor.
 -- 
 2.33.0
--- a/backport-0003-CVE-2023-28756.patch
+++ b/backport-0003-CVE-2023-28756.patch
@ -0,0 +1,26 @@
 From a8acce46ffa334b1edd3767b52bc5ece1664171d Mon Sep 17 00:00:00 2001
 From: Nobuyoshi Nakada <nobu@ruby-lang.org>
 Date: Fri, 30 Dec 2022 14:32:05 +0900
 Subject: [PATCH 3/5] Make RFC2822 regexp linear
 https://hackerone.com/reports/1485501
 ---
 lib/time.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/time.rb b/lib/time.rb
 index ac17410..8af482c 100644
 --- a/lib/time.rb
 +++ b/lib/time.rb
@@ -507,7 +507,7 @@ class Time
           (\d{2,})\s+
           (\d{2})\s*
           :\s*(\d{2})
 -          (?:\s*:\s*(\d{2}))?\s+
 +          (?:\s*:\s*(\d\d))?\s+
           ([+-]\d{4}|
            UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
         # Since RFC 2822 permit comments, the regexp has no right anchor.
 -- 
 2.33.0
--- a/backport-Fix-splitting-relative-URI.patch
+++ b/backport-Fix-splitting-relative-URI.patch
@ -0,0 +1,42 @@
 From cff9d743242f7c50e8e5cf350a8c3e60bb00f1dc Mon Sep 17 00:00:00 2001
 From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
 Date: Fri, 24 Mar 2023 18:53:18 +0900
 Subject: [PATCH 1/5] Fix splitting relative URI
 ---
 lib/uri/rfc3986_parser.rb | 2 +-
 test/uri/test_parser.rb   | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb
 index 49a594c..75fd5b1 100644
 --- a/lib/uri/rfc3986_parser.rb
 +++ b/lib/uri/rfc3986_parser.rb
@@ -4,7 +4,7 @@ module URI
     # URI defined in RFC3986
     # this regexp is modified not to host is not empty string
     RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
 -    RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
 +    RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/
     attr_reader :regexp
     def initialize
 diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb
 index b13a26c..37e7107 100644
 --- a/test/uri/test_parser.rb
 +++ b/test/uri/test_parser.rb
@@ -58,4 +58,11 @@ class URI::TestParser < Test::Unit::TestCase
     assert_equal("\u3042", p1.unescape('%e3%81%82'.force_encoding(Encoding::US_ASCII)))
     assert_equal("\xe3\x83\x90\xe3\x83\x90", p1.unescape("\xe3\x83\x90%e3%83%90"))
   end
 +
 +  def test_split
 +    assert_equal(["http", nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("http://example.com"))
 +    assert_equal(["http", nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("http://[0::0]"))
 +    assert_equal([nil, nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("//example.com"))
 +    assert_equal([nil, nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("//[0::0]"))
 +  end
 end
 -- 
 2.33.0
--- a/ruby.spec
+++ b/ruby.spec
@ -33,7 +33,7 @@
 Name:      ruby
 Version:   %{ruby_version}
-Release:   128
+Release:   129
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@ -181,6 +181,12 @@ Patch6009: backport-0002-CVE-2021-33621.patch
 Patch6010: backport-Relax-domain-label-restrictions.patch
 Patch6011: backport-Fix-test_cgi_cookie_new_with_domain-to-pass-on-older.patch
 Patch6012: backport-Loosen-the-domain-regex-to-accept-.-29.patch
 Patch6013: backport-Fix-splitting-relative-URI.patch
 Patch6014: backport-0001-CVE-2023-28755.patch
 Patch6015: backport-0002-CVE-2023-28755.patch
 Patch6016: backport-0001-CVE-2023-28756.patch
 Patch6017: backport-0002-CVE-2023-28756.patch
 Patch6018: backport-0003-CVE-2023-28756.patch
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@ -1193,6 +1199,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed
 %changelog
 * Tue Apr 11 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-129
 - fix CVE-2023-28755 CVE-2023-28756
 * Thu Jan 05 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-128
 - fix CVE-2021-33621