Avoid backtracking in filtered_query_string

jhawthorn · jhawthorn · commit 4d6ce9038e90 · 2024-10-23T17:29:54.000-07:00
Thanks scyoon for the patch CVE-2024-41128
diff --git a/actionpack/lib/action_dispatch/http/filter_parameters.rb b/actionpack/lib/action_dispatch/http/filter_parameters.rb
@@ -68,12 +68,17 @@ def parameter_filter_for(filters) # :doc:
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end
diff --git a/actionpack/lib/action_dispatch/http/filter_redirect.rb b/actionpack/lib/action_dispatch/http/filter_redirect.rb
@@ -37,9 +37,16 @@ def location_filter_match?
       def parameter_filtered_location
         uri = URI.parse(location)
         unless uri.query.nil? || uri.query.empty?
-          uri.query.gsub!(FilterParameters::PAIR_RE) do
-            request.parameter_filter.filter($1 => $2).first.join("=")
+          parts = uri.query.split(/([&;])/)
+          filtered_parts = parts.map do |part|
+            if part.include?("=")
+              key, value = part.split("=", 2)
+              request.parameter_filter.filter(key => value).first.join("=")
+            else
+              part
+            end
           end
+          uri.query = filtered_parts.join("")
         end
         uri.to_s
       rescue URI::Error
