diff options
| author | Shugo Maeda <shugo@ruby-lang.org> | 2021-04-21 09:43:39 +0900 |
|---|---|---|
| committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2021-04-27 21:21:33 +0900 |
| commit | 4ae27d8075b2d138d13cb2b112f0ee50934b3017 (patch) | |
| tree | 3723b485bba5fb28cff3fc80ef603e1846d0d457 /lib/net | |
| parent | 990baec41174a0b4cf7e285cf3185b4ab444437e (diff) | |
[ruby/net-ftp] Reduce resource cosumption of Net::FTP::TIME_PARSER
Reported by Alexandr Savca as a DoS vulnerability, but Net::FTP is a
client library and the impact of the issue is low, so I have decided
to fix it as a normal issue.
Based on patch by nobu.
https://github.com/ruby/net-ftp/commit/a93af636f8
Diffstat (limited to 'lib/net')
| -rw-r--r-- | lib/net/ftp.rb | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb index da502129a5..3536e01ba3 100644 --- a/lib/net/ftp.rb +++ b/lib/net/ftp.rb @@ -1054,10 +1054,11 @@ module Net TIME_PARSER = ->(value, local = false) { unless /\A(?<year>\d{4})(?<month>\d{2})(?<day>\d{2}) (?<hour>\d{2})(?<min>\d{2})(?<sec>\d{2}) - (?:\.(?<fractions>\d+))?/x =~ value + (?:\.(?<fractions>\d{1,17}))?/x =~ value + value = value[0, 97] + "..." if value.size > 100 raise FTPProtoError, "invalid time-val: #{value}" end - usec = fractions.to_i * 10 ** (6 - fractions.to_s.size) + usec = ".#{fractions}".to_r * 1_000_000 if fractions Time.public_send(local ? :local : :utc, year, month, day, hour, min, sec, usec) } FACT_PARSERS = Hash.new(CASE_DEPENDENT_PARSER) |