Return an empty array when ranges are too large

tenderlove · tenderlove · commit 62457686b26d · 2024-02-21T11:12:58.000-08:00
If the sum of the requested ranges is larger than the file itself, return an empty array. In other words, refuse to respond with any bytes. [CVE-2024-26141]
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
@@ -380,6 +380,9 @@ def get_byte_ranges(http_range, size)
         end
         ranges << (r0..r1)  if r0 <= r1
       end
+
+      return [] if ranges.map(&:size).sum > size
+
       ranges
     end
 
diff --git a/test/spec_utils.rb b/test/spec_utils.rb
@@ -590,6 +590,10 @@ def initialize(*)
 end
 
 describe Rack::Utils, "byte_range" do
+  it "returns an empty list if the sum of the ranges is too large" do
+    assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500)
+  end
+
   it "ignore missing or syntactically invalid byte ranges" do
     Rack::Utils.byte_ranges({}, 500).must_be_nil
     Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil
