Skip to content

Commit 4849132

Browse files
tenderlovetenderlove
committed
Return an empty array when ranges are too large
If the sum of the requested ranges is larger than the file itself, return an empty array. In other words, refuse to respond with any bytes. [CVE-2024-26141]
1 parent a227cd7 commit 4849132

File tree

2 files changed

+7
-0
lines changed

2 files changed

+7
-0
lines changed

lib/rack/utils.rb

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -459,6 +459,9 @@ def get_byte_ranges(http_range, size)
459459
end
460460
ranges << (r0..r1) if r0 <= r1
461461
end
462+
463+
return [] if ranges.map(&:size).sum > size
464+
462465
ranges
463466
end
464467

test/spec_utils.rb

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -716,6 +716,10 @@ def initialize(*)
716716
end
717717

718718
describe Rack::Utils, "get_byte_ranges" do
719+
it "returns an empty list if the sum of the ranges is too large" do
720+
assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500)
721+
end
722+
719723
deprecated "pase simple byte ranges from env" do
720724
Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=123-456" }, 500).must_equal [(123..456)]
721725
end

0 commit comments

Comments
 (0)