From fb493bebae1a9b83e494fe7edbf01f6167d606fd Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Thu, 10 Oct 2024 20:41:33 -0700
Subject: [PATCH] Avoid backtracking in filtered_query_string

Thanks scyoon for the patch

CVE-2024-41128
---
 lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/lib/action_dispatch/http/filter_parameters.rb b/lib/action_dispatch/http/filter_parameters.rb
index ec86b8b..6bc5c0b 100644
--- a/lib/action_dispatch/http/filter_parameters.rb
+++ b/lib/action_dispatch/http/filter_parameters.rb
@@ -72,12 +72,17 @@ module ActionDispatch
         ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end
-- 
2.33.0