[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack
From: Justin Bull <me () justinbull ! ca>
Date: 2016-01-27 15:47:18
Message-ID: CAFB0D2S-jjKKegnTqXo+Kcn9JME+=KwAjUVKMBVCWS=z1uxQUQ () mail ! gmail ! com
[Download RAW message or body]
On Mon, Jan 25, 2016 at 2:32 PM, Aaron Patterson <tenderlove@ruby-lang.org>
wrote:
>
> Workarounds
> -----------
> This attack can be mitigated by a proxy that only allows known mime types
> in
> the Accept header.
>
> Placing the following code in an initializer will also mitigate the issue:
>
> ```ruby
> require 'action_dispatch/http/mime_type'
>
> Mime.const_set :LOOKUP, Hash.new { |h,k|
> Mime::Type.new(k) unless k.blank?
> }
> ```
>
I know 4.0.x isn't a supported Rails version, but it's worth noting that
with our app, that workaround breaks the `params` hash in Action
Controller. The request must be "application/json" with a POST payload. The
workaround, for some reason, completely removes the post payload hash from
`params`. Note that a "multipart/form-data" request and GET parameters work
just fine.
Advice as to a workaround that preserves "application/json" POST request
parameters would be appreciated.
--
Best Regards,
Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic