[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack
From:       Justin Bull <me () justinbull ! ca>
Date:       2016-01-27 15:47:18
Message-ID: CAFB0D2S-jjKKegnTqXo+Kcn9JME+=KwAjUVKMBVCWS=z1uxQUQ () mail ! gmail ! com
[Download RAW message or body]


On Mon, Jan 25, 2016 at 2:32 PM, Aaron Patterson <tenderlove@ruby-lang.org>
wrote:

>
> Workarounds
> -----------
> This attack can be mitigated by a proxy that only allows known mime types
> in
> the Accept header.
>
> Placing the following code in an initializer will also mitigate the issue:
>
> ```ruby
> require 'action_dispatch/http/mime_type'
>
> Mime.const_set :LOOKUP, Hash.new { |h,k|
>   Mime::Type.new(k) unless k.blank?
> }
> ```
>

I know 4.0.x isn't a supported Rails version, but it's worth noting that
with our app, that workaround breaks the `params` hash in Action
Controller. The request must be "application/json" with a POST payload. The
workaround, for some reason, completely removes the post payload hash from
`params`. Note that a "multipart/form-data" request and GET parameters work
just fine.

Advice as to a workaround that preserves "application/json" POST request
parameters would be appreciated.

-- 
Best Regards,
Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C


[prev in list] [next in list] [prev in thread] [next in thread]