1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
From: Chris Lamb <lamby@debian.org>
Date: Thu, 13 May 2021 11:22:35 +0100
Subject: CVE-2020-7663: Prevent a denial of service attack that is
exploitable by an exponential-time regular expression backtracking
vulnerability. (Closes: #964274)
---
lib/websocket/extensions/parser.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/websocket/extensions/parser.rb b/lib/websocket/extensions/parser.rb
index 06db917..38d1f19 100644
--- a/lib/websocket/extensions/parser.rb
+++ b/lib/websocket/extensions/parser.rb
@@ -6,7 +6,7 @@ module WebSocket
class Parser
TOKEN = /([!#\$%&'\*\+\-\.\^_`\|~0-9a-z]+)/
NOTOKEN = /([^!#\$%&'\*\+\-\.\^_`\|~0-9a-z])/
- QUOTED = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/
+ QUOTED = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/
PARAM = %r{#{TOKEN.source}(?:=(?:#{TOKEN.source}|#{QUOTED.source}))?}
EXT = %r{#{TOKEN.source}(?: *; *#{PARAM.source})*}
EXT_LIST = %r{^#{EXT.source}(?: *, *#{EXT.source})*$}
|
