File CVE-2021-22880-postgresql-money-dos.patch of Package rubygem-activerecord-5_1

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-22880-postgresql-money-dos.patch of Package rubygem-activerecord-5_1

From 130cdf35f76ebc13f71cc70fb023cb001e6950ca Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Wed, 10 Feb 2021 09:36:15 -0800
Subject: [PATCH] Fix possible DoS vector in PostgreSQL money type

Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter.  This patch
fixes the regexp.

Thanks to @dee-see from Hackerone for this patch!

[CVE-2021-22880]
---
 .../connection_adapters/postgresql/oid/money.rb           | 4 ++--
 activerecord/test/cases/adapters/postgresql/money_test.rb | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

--- a/lib/active_record/connection_adapters/postgresql/oid/money.rb
+++ b/lib/active_record/connection_adapters/postgresql/oid/money.rb
@@ -24,9 +24,9 @@ module ActiveRecord
 
             value.sub!(/^$(.+)$$/, '-\1') # (4)
             case value
-            when /^-?\D+[\d,]+\.\d{2}$/  # (1)
+            when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
               value.gsub!(/[^-\d.]/, "")
-            when /^-?\D+[\d.]+,\d{2}$/  # (2)
+            when /^-?\D*+[\d.]+,\d{2}$/  # (2)
               value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
             end

Places

File CVE-2021-22880-postgresql-money-dos.patch of Package rubygem-activerecord-5_1

Places