Avoid backtracking in Token#raw_params

jhawthorn · jhawthorn · commit 7c1398854d51 · 2024-10-15T12:29:37.000-07:00
Thanks to scyoon for the patch [CVE-2024-47887]
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -507,14 +507,11 @@ def rewrite_param_values(array_params)
         array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
-      WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
-      private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
-
       # This method takes an authorization body and splits up the key-value
       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
         _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)
