From 58240b5d0b52d9685b773e5b9e45d22ca500392a Mon Sep 17 00:00:00 2001
From: nagachika <nagachika@ruby-lang.org>
Date: Thu, 29 Apr 2021 17:20:52 +0900
Subject: merge revision(s)
 4ae27d8075b2d138d13cb2b112f0ee50934b3017,2670509ebba5ba31a5bf34cf906943075446e005,8e2ac2140d1cd9c163c1556df58c020dc22ab269:

	[ruby/net-ftp] Reduce resource cosumption of Net::FTP::TIME_PARSER

	Reported by Alexandr Savca as a DoS vulnerability, but Net::FTP is a
	client library and the impact of the issue is low, so I have decided
	to fix it as a normal issue.
	Based on patch by nobu.

	https://github.com/ruby/net-ftp/commit/a93af636f8
	---
	 lib/net/ftp.rb           |  5 +++--
	 test/net/ftp/test_ftp.rb | 11 +++++++++++
	 2 files changed, 14 insertions(+), 2 deletions(-)

	[ruby/net-ftp] Add test cases

	https://github.com/ruby/net-ftp/commit/865232bb2a
	---
	 test/net/ftp/test_ftp.rb | 6 ++++++
	 1 file changed, 6 insertions(+)

	test/net/ftp/test_ftp.rb: reduce the size of a long response

	"9" * 999999999 (about 1 GB) was too large for some CI servers.
	This commit changes the size to 999999 (about 1 MB).

	http://rubyci.s3.amazonaws.com/scw-9d6766/ruby-master/log/20210427T141707Z.fail.html.gz
	http://rubyci.s3.amazonaws.com/raspbian10-aarch64/ruby-master/log/20210427T145408Z.fail.html.gz
	---
	 test/net/ftp/test_ftp.rb | 4 ++--
	 1 file changed, 2 insertions(+), 2 deletions(-)
---
 lib/net/ftp.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb
index 88e8655c1c..5e3e181c16 100644
--- a/lib/net/ftp.rb
+++ b/lib/net/ftp.rb
@@ -1045,10 +1045,11 @@ module Net
     TIME_PARSER = ->(value, local = false) {
       unless /\A(?<year>\d{4})(?<month>\d{2})(?<day>\d{2})
             (?<hour>\d{2})(?<min>\d{2})(?<sec>\d{2})
-            (?:\.(?<fractions>\d+))?/x =~ value
+            (?:\.(?<fractions>\d{1,17}))?/x =~ value
+        value = value[0, 97] + "..." if value.size > 100
         raise FTPProtoError, "invalid time-val: #{value}"
       end
-      usec = fractions.to_i * 10 ** (6 - fractions.to_s.size)
+      usec = ".#{fractions}".to_r * 1_000_000 if fractions
       Time.public_send(local ? :local : :utc, year, month, day, hour, min, sec, usec)
     }
     FACT_PARSERS = Hash.new(CASE_DEPENDENT_PARSER)
-- 
cgit v1.2.3