From f0dda0534be8befd0d6223531f70df8b12ade9cc Mon Sep 17 00:00:00 2001 From: Hiroshi SHIBATA Date: Thu, 24 Apr 2025 10:14:01 +0900 Subject: [PATCH] Rewrite CGI.parse with URI.decode_www_form_component Co-authored-by: Nobuyoshi Nakada --- .../gemcutter_utilities/webauthn_listener.rb | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/rubygems/gemcutter_utilities/webauthn_listener.rb b/lib/rubygems/gemcutter_utilities/webauthn_listener.rb index abf65efe37..7a692d9192 100644 --- a/lib/rubygems/gemcutter_utilities/webauthn_listener.rb +++ b/lib/rubygems/gemcutter_utilities/webauthn_listener.rb @@ -85,10 +85,17 @@ module Gem::GemcutterUtilities end def parse_otp_from_uri(uri) - require "cgi" + query = uri.query + return unless query && !query.empty? - return if uri.query.nil? - CGI.parse(uri.query).dig("code", 0) + query.split('&') do |param| + key, value = param.split('=', 2) + if value && Gem::URI.decode_www_form_component(key) == "code" + return Gem::URI.decode_www_form_component(value) + end + end + + nil end class SocketResponder