Fix ReDoS in accept header scanning

tenderlove · tenderlove · commit a3f3c3e5d658 · 2024-02-21T10:17:42.000-08:00
Thanks svalkanov for the patch! [CVE-2024-26142]
diff --git a/actionpack/lib/action_dispatch/http/mime_type.rb b/actionpack/lib/action_dispatch/http/mime_type.rb
@@ -157,7 +157,7 @@ class << self
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
       # all media-type parameters need to be before the q-parameter
       # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
-      PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
       ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
 
       def register_callback(&block)
@@ -197,7 +197,7 @@ def register(string, symbol, mime_type_synonyms = [], extension_synonyms = [], s
       def parse(accept_header)
         if !accept_header.include?(",")
           if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
-            accept_header = accept_header[0, index]
+            accept_header = accept_header[0, index].strip
           end
           return [] if accept_header.blank?
           parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))
