Overview

File rubygem-rack-CVE-2022-30122.patch of Package rubygem-rack.27576

Index: rack-1.6.13/lib/rack/multipart/parser.rb
===================================================================
--- rack-1.6.13.orig/lib/rack/multipart/parser.rb
+++ rack-1.6.13/lib/rack/multipart/parser.rb
@@ -159,8 +159,9 @@ module Rack
         when RFC2183
           filename = Hash[head.scan(DISPPARM)]['filename']
           filename = $1 if filename and filename =~ /^"(.*)"$/
-        when BROKEN_QUOTED, BROKEN_UNQUOTED
+        when BROKEN
           filename = $1
+          filename = $1 if filename =~ /^"(.*)"$/
         end
 
         return unless filename
Index: rack-1.6.13/lib/rack/multipart.rb
===================================================================
--- rack-1.6.13.orig/lib/rack/multipart.rb
+++ rack-1.6.13/lib/rack/multipart.rb
@@ -14,8 +14,8 @@ module Rack
     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
     DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})/
     RFC2183 = /^#{CONDISP}(#{DISPPARM})+$/i
-    BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
-    BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i
+    VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
+    BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
     MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*\s+name="?([^\";]*)"?/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
openSUSE Build Service is sponsored by
Places