File 003-CVE-2022-24836.patch of Package rubygem-nokogiri.26618
--- a/lib/nokohiri/html/document.rb 2022-10-27 12:37:09.207277680 +0200
+++ b/lib/nokogiri/html/document.rb 2022-10-27 12:39:01.503799789 +0200
@@ -254,7 +254,7 @@
if Nokogiri.jruby? && EncodingReader.is_jruby_without_fix?
return EncodingReader.detect_encoding_for_jruby_without_fix(chunk)
end
- m = chunk.match(/\A(<\?xml[ \t\r\n]+[^>]*>)/) and
+ m = chunk.match(/\A(<\?xml[ \t\r\n][^>]*>)/) and
return Nokogiri.XML(m[1]).encoding
if Nokogiri.jruby?
--- a/test/html/test_document_encoding.rb 2022-10-27 12:43:54.709163018 +0200
+++ b/test/html/test_document_encoding.rb 2022-10-27 12:47:47.390245724 +0200
@@ -138,6 +138,17 @@
assert_equal(evil, ary_from_file)
}
end
+ it "does not start backtracking during detection of XHTML encoding" do
+ # this test is a quick and dirty version
+ # of the more complete perf test that is on main.
+ n = 40_000
+ redos_string = "<?xml " + (" " * n)
+ redos_string.encode!("ASCII-8BIT")
+ start_time = Time.now
+ Nokogiri::HTML4(redos_string)
+ elapsed_time = Time.now - start_time
+ assert_operator(elapsed_time, :<, 1)
+ end
end
end
end