Sha256: 9f36a6b67133e3a458c8c10526481f5bf7c3e8a38bd8e9e3d26cc7e83150de3c
Contents?: true
Size: 1.11 KB
Versions: 21
Compression:
Stored size: 1.11 KB
Contents
# frozen_string_literal: true
if Gem.loaded_specs["rack"].version >= Gem::Version.new("3.0.0")
fail <<~ERR
This patch is unnecessary in Rack versions 3.0.0 or newer.
Please remove this file and the associated spec.
See https://github.com/rack/rack/blob/main/CHANGELOG.md#security (issue #1733)
ERR
end
# Patches a cache poisoning attack vector in Rack by not allowing semicolons
# to delimit query parameters.
# See https://github.com/rack/rack/issues/1732.
#
# Solution is taken from the same issue.
#
# The actual patch is due for release in Rack 3.0.0.
module Rack
class Request # rubocop:disable Style/Documentation
Helpers.module_eval do
# rubocop: disable Naming/MethodName
def GET
if get_header(RACK_REQUEST_QUERY_STRING) == query_string
get_header(RACK_REQUEST_QUERY_HASH)
else
query_hash = parse_query(query_string, "&") # only allow ampersand here
set_header(RACK_REQUEST_QUERY_STRING, query_string)
set_header(RACK_REQUEST_QUERY_HASH, query_hash)
end
end
# rubocop: enable Naming/MethodName
end
end
end
Version data entries
21 entries across 21 versions & 1 rubygems