Issue #5149 has been updated by Alex Young.

File uri.patch added

I'd disagree with the location of this bug.  I've had a quick look, and while this doesn't look like a Ruby bug, perhaps it ought to be. The regex as given:

    /\A(?:%\h\h|[^%]+)*\z/

does not appear in Rack, but *does* appear in lib/ruby/1.9.1/uri/common.rb (line 778 in -p290).  Rack has this:

    /\A(?:%[0-9a-fA-F]{2}|[^%])*\z/

This would not appear to suffer from the same exponential behaviour as that in URI, while apparently validating the same strings. Perhaps the appropriate substitution should be made in uri/common.rb?  Patch untested, but "looks right".
----------------------------------------
Bug #5149: Specific combination of regexp and string causes 100% CPU and doesn't recover
http://redmine.ruby-lang.org/issues/5149

Author: Gregory Mostizky
Status: Open
Priority: Urgent
Assignee: 
Category: 
Target version: 
ruby -v: ruby 1.9.2p136 (2010-12-25 revision 30365) [i686-linux


Specific combination of regexp and string can cause ruby process to hang with 100% CPU.

Reproducing (in irb):
/\A(?:%\h\h|[^%]+)*\z/ =~ "199542328.1312293792.1.1.utmcsr%3Dgoogle%7Cutmccn%" 
(above hangs indefinably with 100% cpu)
/\A(?:%\h\h|[^%]+)*\z/ =~ "199542328.1312293792.1.1.utmcsr%3Dgoogle%7Cutmccn"
(same but without % at the end returns succesfully)

The code in question is found in Rack:Utils (v1.3.2, not used in v1.2.1) and can basically "kill" any server process (happened to us in production on a thin machine after we upgraded to newer rack). The above bug means that it is very easy to perform DoS on affected ruby server.



-- 
http://redmine.ruby-lang.org