packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ruby/backport-0002-CVE-2023-28756.patch
sxt1001 0a21f35a34 fix CVE-2023-28755 CVE-2023-28756 
(cherry picked from commit a011562aeb90e070502a2e6a677c9fa105395897)
2023-04-11 11:41:17 +08:00

29 lines
873 B
Diff
Raw Blame History

From 3765d119ca03db067f9cd292752389983e2821eb Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Tue, 29 Nov 2022 16:22:15 +0900
Subject: [PATCH 2/5] Fix quadratic backtracking on invalid time
https://hackerone.com/reports/1485501
---
lib/time.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/time.rb b/lib/time.rb
index 625c2c8..ac17410 100644
--- a/lib/time.rb
+++ b/lib/time.rb
@@ -506,8 +506,8 @@ class Time
(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
(\d{2,})\s+
(\d{2})\s*
- :\s*(\d{2})\s*
- (?::\s*(\d{2}))?\s+
+ :\s*(\d{2})
+ (?:\s*:\s*(\d{2}))?\s+
([+-]\d{4}|
UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
# Since RFC 2822 permit comments, the regexp has no right anchor.
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink