File CVE-2015-3225.patch of Package rubygem-rack-1_4.767
diff -Naur a/lib/rack/utils.rb b/lib/rack/utils.rb
--- a/lib/rack/utils.rb 1970-01-01 01:00:00.000000000 +0100
+++ b/lib/rack/utils.rb 2015-07-08 16:40:01.921000003 +0200
@@ -51,12 +51,17 @@
class << self
attr_accessor :key_space_limit
+ attr_accessor :param_depth_limit
end
# The default number of bytes to allow parameter keys to take up.
# This helps prevent a rogue client from flooding a Request.
self.key_space_limit = 65536
+ # Default depth at which the parameter parser will raise an exception for
+ # being too deep. This helps prevent SystemStackErrors
+ self.param_depth_limit = 100
+
# Stolen from Mongrel, with some small modifications:
# Parses a query string by breaking it up at the '&'
# and ';' characters. You can also use this to parse
@@ -100,7 +105,9 @@
end
module_function :parse_nested_query
- def normalize_params(params, name, v = nil)
+ def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit)
+ raise RangeError if depth <= 0
+
name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
k = $1 || ''
after = $' || ''
@@ -118,14 +125,14 @@
params[k] ||= []
raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
if params_hash_type?(params[k].last) && !params[k].last.key?(child_key)
- normalize_params(params[k].last, child_key, v)
+ normalize_params(params[k].last, child_key, v, depth - 1)
else
- params[k] << normalize_params(params.class.new, child_key, v)
+ params[k] << normalize_params(params.class.new, child_key, v, depth - 1)
end
else
params[k] ||= params.class.new
raise TypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k])
- params[k] = normalize_params(params[k], after, v)
+ params[k] = normalize_params(params[k], after, v, depth - 1)
end
return params
