From 5a256f0d2106968330bb9b4535570f927e3ac998 Mon Sep 17 00:00:00 2001
From: liningjie <liningjie@xfusion.com>
Date: Wed, 3 Jul 2024 17:55:00 +0800
Subject: [PATCH] Fix CVE-2024-39316

---
 CVE-2024-39316.patch | 53 ++++++++++++++++++++++++++++++++++++++++++++
 rubygem-rack.spec    | 10 +++++++--
 2 files changed, 61 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2024-39316.patch

diff --git a/CVE-2024-39316.patch b/CVE-2024-39316.patch
new file mode 100644
index 0000000..cfd0d9d
--- /dev/null
+++ b/CVE-2024-39316.patch
@@ -0,0 +1,53 @@
+From 412c980450ca729ee37f90a2661f166a9665e058 Mon Sep 17 00:00:00 2001
+From: Dwi Siswanto <dwi.siswanto98@gmail.com>
+Date: Tue, 2 Jul 2024 11:29:28 +0700
+Subject: [PATCH] Merge pull request from GHSA-cj83-2ww7-mvq7
+
+* fix: ReDoS in the `parse_http_accept_header` method
+
+Signed-off-by: Dwi Siswanto <git@dw1.io>
+
+* fix: optimize HTTP Accept headers parsing
+
+by:
+
+* updated `parse_http_accept_header` method to
+  avoid unnecessary array allocation from `map`.
+* used `strip!` to modify strings in place,
+  avoiding additional string allocations.
+* plus, safe navigation for `parameters` to
+  handle nil cases.
+
+this improves memory efficiency in header parsing.
+
+Co-authored-by: Jeremy Evans <jeremyevans@users.noreply.github.com>
+Signed-off-by: Dwi Siswanto <git@dw1.io>
+
+---------
+
+Signed-off-by: Dwi Siswanto <git@dw1.io>
+Co-authored-by: Jeremy Evans <jeremyevans@users.noreply.github.com>
+---
+ lib/rack/request.rb | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rack/request.rb b/lib/rack/request.rb
+index b880b6ec..ccbd07da 100644
+--- a/lib/rack/request.rb
++++ b/lib/rack/request.rb
+@@ -642,8 +642,10 @@ module Rack
+       end
+ 
+       def parse_http_accept_header(header)
+-        header.to_s.split(/\s*,\s*/).map do |part|
+-          attribute, parameters = part.split(/\s*;\s*/, 2)
++        header.to_s.split(',').map do |part|
++          attribute, parameters = part.split(';', 2)
++          attribute.strip!
++          parameters&.strip!
+           quality = 1.0
+           if parameters and /\Aq=([\d.]+)/ =~ parameters
+             quality = $1.to_f
+-- 
+2.43.0.windows.1
+
diff --git a/rubygem-rack.spec b/rubygem-rack.spec
index ead1e79..bc7bdb9 100644
--- a/rubygem-rack.spec
+++ b/rubygem-rack.spec
@@ -4,11 +4,14 @@
 Name:    rubygem-%{gem_name}
 Version: 2.2.3.1
 Epoch:   1
-Release: 2
+Release: 3
 Summary: A modular Ruby webserver interface
 License: MIT and BSD
 URL:     https://rack.github.io/
 Source0: https://rubygems.org/downloads/%{gem_name}-%{version}.gem
+
+Patch0: CVE-2024-39316.patch
+
 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(concurrent-ruby)
 BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
 BuildRequires: rubygem(memcache-client)
@@ -39,7 +42,7 @@ BuildArch: noarch
 Documentation for %{name}.
 
 %prep
-%setup -q -n %{gem_name}-%{version}
+%autosetup -n %{gem_name}-%{version} -p1 -S git
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -97,6 +100,9 @@ popd
 %doc %{gem_instdir}/contrib
 
 %changelog
+* Wed Jul 3 2024 liningjie <liningjie@xfusion.com> - 1:2.2.3.1-3
+- Fix CVE-2024-39316
+
 * Wed Apr 19 2023 sjxur <sjxur@isoftstone.com> - 1:2.2.3.1-2
 - fix issue(I6UCVJ) for rubygem-rack build problem in openEuler:22.03:LTS:Next
 
-- 
Gitee