35 lines
1.1 KiB
Ruby
35 lines
1.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
if Gem.loaded_specs['rack'].version >= Gem::Version.new("3.0.0")
|
|
raise <<~ERR
|
|
This patch is unnecessary in Rack versions 3.0.0 or newer.
|
|
Please remove this file and the associated spec.
|
|
|
|
See https://github.com/rack/rack/blob/main/CHANGELOG.md#security (issue #1733)
|
|
ERR
|
|
end
|
|
|
|
# Patches a cache poisoning attack vector in Rack by not allowing semicolons
|
|
# to delimit query parameters.
|
|
# See https://github.com/rack/rack/issues/1732.
|
|
#
|
|
# Solution is taken from the same issue.
|
|
#
|
|
# The actual patch is due for release in Rack 3.0.0.
|
|
module Rack
|
|
class Request
|
|
Helpers.module_eval do
|
|
# rubocop: disable Naming/MethodName
|
|
def GET
|
|
if get_header(RACK_REQUEST_QUERY_STRING) == query_string
|
|
get_header(RACK_REQUEST_QUERY_HASH)
|
|
else
|
|
query_hash = parse_query(query_string, '&') # only allow ampersand here
|
|
set_header(RACK_REQUEST_QUERY_STRING, query_string)
|
|
set_header(RACK_REQUEST_QUERY_HASH, query_hash)
|
|
end
|
|
end
|
|
# rubocop: enable Naming/MethodName
|
|
end
|
|
end
|
|
end
|