From ef52af28b6ac43789fd8fc05df098b56f220f0fa Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Tue, 13 Feb 2024 13:34:34 -0800
Subject: Return an empty array when ranges are too large

If the sum of the requested ranges is larger than the file itself,
return an empty array. In other words, refuse to respond with any bytes.

[CVE-2024-26141]
---
 lib/rack/utils.rb  | 3 +++
 test/spec_utils.rb | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
index 16457f90..87c2a946 100644
--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
@@ -382,6 +382,9 @@ module Rack
         end
         ranges << (r0..r1)  if r0 <= r1
       end
+
+      return [] if ranges.map(&:size).sum > size
+
       ranges
     end
     module_function :get_byte_ranges
diff --git a/test/spec_utils.rb b/test/spec_utils.rb
index 5fd92241..67b77b0d 100644
--- a/test/spec_utils.rb
+++ b/test/spec_utils.rb
@@ -548,6 +548,10 @@ describe Rack::Utils, "cookies" do
 end
 
 describe Rack::Utils, "byte_range" do
+  it "returns an empty list if the sum of the ranges is too large" do
+    assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500)
+  end
+
   it "ignore missing or syntactically invalid byte ranges" do
     Rack::Utils.byte_ranges({}, 500).must_be_nil
     Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil
-- 
2.30.2