Overview

File 003-CVE-2022-24836.patch of Package rubygem-nokogiri.26618

--- a/lib/nokohiri/html/document.rb 2022-10-27 12:37:09.207277680 +0200
+++ b/lib/nokogiri/html/document.rb 2022-10-27 12:39:01.503799789 +0200
@@ -254,7 +254,7 @@
           if Nokogiri.jruby? && EncodingReader.is_jruby_without_fix?
             return EncodingReader.detect_encoding_for_jruby_without_fix(chunk)
           end
-          m = chunk.match(/\A(<\?xml[ \t\r\n]+[^>]*>)/) and
+          m = chunk.match(/\A(<\?xml[ \t\r\n][^>]*>)/) and
             return Nokogiri.XML(m[1]).encoding
 
           if Nokogiri.jruby?

--- a/test/html/test_document_encoding.rb	2022-10-27 12:43:54.709163018 +0200
+++ b/test/html/test_document_encoding.rb	2022-10-27 12:47:47.390245724 +0200
@@ -138,6 +138,17 @@
           assert_equal(evil, ary_from_file)
         }
       end
+      it "does not start backtracking during detection of XHTML encoding" do
+          # this test is a quick and dirty version
+          # of the more complete perf test that is on main.
+          n = 40_000
+          redos_string = "<?xml " + (" " * n)
+          redos_string.encode!("ASCII-8BIT")
+          start_time = Time.now
+          Nokogiri::HTML4(redos_string)
+          elapsed_time = Time.now - start_time
+          assert_operator(elapsed_time, :<, 1)
+      end
     end
   end
 end
openSUSE Build Service is sponsored by
Places