diff options
author | Samuel Giddins <segiddins@segiddins.me> | 2024-04-11 00:05:42 -0700 |
---|---|---|
committer | git <svn-admin@ruby-lang.org> | 2024-04-30 15:34:48 +0000 |
commit | d950609ec709c7c4dc48603b9b2d88f840a520fb (patch) | |
tree | 2da7c1649e163787a16d702e419f1d2b3df785c4 /ext/json/VERSION | |
parent | e0949c3f7cbf32d46ee276d69343b7cb8da4325f (diff) |
[rubygems/rubygems] Add a limit to the size of the metadata and checksums files in a gem package.
This is to prevent a malicious gem from causing a denial of service by
including a very large metadata or checksums file,
which is then read into memory in its entirety just by opening the gem package.
This is guaranteed to limit the amount of memory needed, since
gzips (which use deflate streams for compression) have a maximum compression
ratio of 1032:1, so the uncompressed size of the metadata or checksums file
will be at most 1032 times the size of the (limited) amount of data read.
This prevents a gem from causing 500GB of memory to be allocated
to read a 500MB metadata file.
https://github.com/rubygems/rubygems/commit/a596e3c5ec
Diffstat (limited to 'ext/json/VERSION')
0 files changed, 0 insertions, 0 deletions