From f0dda0534be8befd0d6223531f70df8b12ade9cc Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Thu, 24 Apr 2025 10:14:01 +0900
Subject: [PATCH] Rewrite CGI.parse with URI.decode_www_form_component

Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
---
 .../gemcutter_utilities/webauthn_listener.rb        | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/rubygems/gemcutter_utilities/webauthn_listener.rb b/lib/rubygems/gemcutter_utilities/webauthn_listener.rb
index abf65efe37..7a692d9192 100644
--- a/lib/rubygems/gemcutter_utilities/webauthn_listener.rb
+++ b/lib/rubygems/gemcutter_utilities/webauthn_listener.rb
@@ -85,10 +85,17 @@ module Gem::GemcutterUtilities
     end
 
     def parse_otp_from_uri(uri)
-      require "cgi"
+      query = uri.query
+      return unless query && !query.empty?
 
-      return if uri.query.nil?
-      CGI.parse(uri.query).dig("code", 0)
+      query.split('&') do |param|
+        key, value = param.split('=', 2)
+        if value && Gem::URI.decode_www_form_component(key) == "code"
+          return Gem::URI.decode_www_form_component(value)
+        end
+      end
+
+      nil
     end
 
     class SocketResponder