packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ruby/backport-0003-CVE-2023-28756.patch
sxt1001 0a21f35a34 fix CVE-2023-28755 CVE-2023-28756 
(cherry picked from commit a011562aeb90e070502a2e6a677c9fa105395897)
2023-04-11 11:41:17 +08:00

27 lines
765 B
Diff
Raw Blame History

From a8acce46ffa334b1edd3767b52bc5ece1664171d Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Fri, 30 Dec 2022 14:32:05 +0900
Subject: [PATCH 3/5] Make RFC2822 regexp linear
https://hackerone.com/reports/1485501
---
lib/time.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/time.rb b/lib/time.rb
index ac17410..8af482c 100644
--- a/lib/time.rb
+++ b/lib/time.rb
@@ -507,7 +507,7 @@ class Time
(\d{2,})\s+
(\d{2})\s*
:\s*(\d{2})
- (?:\s*:\s*(\d{2}))?\s+
+ (?:\s*:\s*(\d\d))?\s+
([+-]\d{4}|
UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
# Since RFC 2822 permit comments, the regexp has no right anchor.
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink