diff options
| author | nagachika <nagachika@ruby-lang.org> | 2021-04-29 17:20:52 +0900 |
|---|---|---|
| committer | nagachika <nagachika@ruby-lang.org> | 2021-04-29 17:20:52 +0900 |
| commit | 58240b5d0b52d9685b773e5b9e45d22ca500392a (patch) | |
| tree | d27c86169056f3b5f5e8bfbf98640af44e21b162 | |
| parent | 13f93ad16d3d1ecf96ece229cd4bc5ea294e1a71 (diff) | |
merge revision(s) 4ae27d8075b2d138d13cb2b112f0ee50934b3017,2670509ebba5ba31a5bf34cf906943075446e005,8e2ac2140d1cd9c163c1556df58c020dc22ab269:
[ruby/net-ftp] Reduce resource cosumption of Net::FTP::TIME_PARSER
Reported by Alexandr Savca as a DoS vulnerability, but Net::FTP is a
client library and the impact of the issue is low, so I have decided
to fix it as a normal issue.
Based on patch by nobu.
https://github.com/ruby/net-ftp/commit/a93af636f8
---
lib/net/ftp.rb | 5 +++--
test/net/ftp/test_ftp.rb | 11 +++++++++++
2 files changed, 14 insertions(+), 2 deletions(-)
[ruby/net-ftp] Add test cases
https://github.com/ruby/net-ftp/commit/865232bb2a
---
test/net/ftp/test_ftp.rb | 6 ++++++
1 file changed, 6 insertions(+)
test/net/ftp/test_ftp.rb: reduce the size of a long response
"9" * 999999999 (about 1 GB) was too large for some CI servers.
This commit changes the size to 999999 (about 1 MB).
http://rubyci.s3.amazonaws.com/scw-9d6766/ruby-master/log/20210427T141707Z.fail.html.gz
http://rubyci.s3.amazonaws.com/raspbian10-aarch64/ruby-master/log/20210427T145408Z.fail.html.gz
---
test/net/ftp/test_ftp.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
| -rw-r--r-- | lib/net/ftp.rb | 5 | ||||
| -rw-r--r-- | test/net/ftp/test_ftp.rb | 17 | ||||
| -rw-r--r-- | version.h | 4 |
3 files changed, 22 insertions, 4 deletions
diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb index 88e8655c1c..5e3e181c16 100644 --- a/lib/net/ftp.rb +++ b/lib/net/ftp.rb @@ -1045,10 +1045,11 @@ module Net TIME_PARSER = ->(value, local = false) { unless /\A(?<year>\d{4})(?<month>\d{2})(?<day>\d{2}) (?<hour>\d{2})(?<min>\d{2})(?<sec>\d{2}) - (?:\.(?<fractions>\d+))?/x =~ value + (?:\.(?<fractions>\d{1,17}))?/x =~ value + value = value[0, 97] + "..." if value.size > 100 raise FTPProtoError, "invalid time-val: #{value}" end - usec = fractions.to_i * 10 ** (6 - fractions.to_s.size) + usec = ".#{fractions}".to_r * 1_000_000 if fractions Time.public_send(local ? :local : :utc, year, month, day, hour, min, sec, usec) } FACT_PARSERS = Hash.new(CASE_DEPENDENT_PARSER) diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb index 023e79435a..318e4c8856 100644 --- a/test/net/ftp/test_ftp.rb +++ b/test/net/ftp/test_ftp.rb @@ -2474,6 +2474,23 @@ EOF end end + def test_time_parser + s = "20371231000000" + assert_equal(Time.utc(2037, 12, 31, 0, 0, 0), + Net::FTP::TIME_PARSER[s]) + s = "20371231000000.123456" + assert_equal(Time.utc(2037, 12, 31, 0, 0, 0, 123456), + Net::FTP::TIME_PARSER[s]) + s = "20371231000000." + "9" * 999999 + assert_equal(Time.utc(2037, 12, 31, 0, 0, 0, + 99999999999999999r / 100000000000), + Net::FTP::TIME_PARSER[s]) + e = assert_raise(Net::FTPProtoError) { + Net::FTP::TIME_PARSER["x" * 999999] + } + assert_equal("invalid time-val: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...", e.message) + end + private def create_ftp_server(sleep_time = nil) @@ -12,11 +12,11 @@ # define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR #define RUBY_VERSION_TEENY 2 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR -#define RUBY_PATCHLEVEL 72 +#define RUBY_PATCHLEVEL 73 #define RUBY_RELEASE_YEAR 2021 #define RUBY_RELEASE_MONTH 4 -#define RUBY_RELEASE_DAY 24 +#define RUBY_RELEASE_DAY 29 #include "ruby/version.h" |