Skip to content

download: Content-Range total-size guard regex /^\*|[0-9]+$/ accepts any string ending in digits #302

Description

@kreinba

In BazaRb#download on lib/baza-rb.rb:794, the guard that validates the total part of the Content-Range response header at lib/baza-rb.rb:855 reads unless total.match?(/^\*|[0-9]+$/). Because | has the lowest precedence in Ruby regex, the alternatives parse as (^\*) | ([0-9]+$) — "string starts with *" OR "string ends in one or more digits" — instead of "the whole string is either * or a non-negative integer". The intent is /\A(?:\*|[0-9]+)\z/.

The current guard lets values like *abc, abc123, 12 34, or 0xff through silently. The downstream total.to_i on the next two lines then coerces these to 0 or to a leading-digit prefix, after which break if e.to_i == total.to_i - 1 checks against -1 (never true for the non-negative e) and break if total == 0 fails the literal match. The loop in download then never reaches either break, the chunk counter keeps climbing, and the download spins on a malformed Content-Range header instead of raising the "Total size is not valid" error the guard exists to surface.

The smallest fix is to anchor the alternation with a non-capturing group and \A...\z so it matches the whole string: change /^\*|[0-9]+$/ to /\A(?:\*|[0-9]+)\z/ on line 855. The same \A...\z hardening applies to the e guard on line 857 (/\A[0-9]+\z/) so a stray newline cannot slip past $.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions