From 8e057db25bff1dc7a98e9ae72e0083825b9ac545 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Thu, 10 Oct 2024 20:32:00 -0700
Subject: [PATCH] Avoid backtracking in Token#raw_params

Thanks to scyoon for the patch

[CVE-2024-47887]
---
 lib/action_controller/metal/http_authentication.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/action_controller/metal/http_authentication.rb b/lib/action_controller/metal/http_authentication.rb
index 01676f3..55760aa 100644
--- a/lib/action_controller/metal/http_authentication.rb
+++ b/lib/action_controller/metal/http_authentication.rb
@@ -481,7 +481,8 @@ module ActionController
       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
+        _raw_params.reject!(&:empty?)
 
         if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
-- 
2.33.0