Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 27 Jan 2016 10:47:18 -0500
From: Justin Bull <me@...tinbull.ca>
To: rubyonrails-security@...glegroups.com
Cc: security@...e.de, oss-security@...ts.openwall.com, 
	ruby-security-ann@...glegroups.com
Subject: Re: [CVE-2016-0751] Possible Object Leak and Denial of Service attack
 in Action Pack

On Mon, Jan 25, 2016 at 2:32 PM, Aaron Patterson <tenderlove@...y-lang.org>
wrote:

>
> Workarounds
> -----------
> This attack can be mitigated by a proxy that only allows known mime types
> in
> the Accept header.
>
> Placing the following code in an initializer will also mitigate the issue:
>
> ```ruby
> require 'action_dispatch/http/mime_type'
>
> Mime.const_set :LOOKUP, Hash.new { |h,k|
>   Mime::Type.new(k) unless k.blank?
> }
> ```
>

I know 4.0.x isn't a supported Rails version, but it's worth noting that
with our app, that workaround breaks the `params` hash in Action
Controller. The request must be "application/json" with a POST payload. The
workaround, for some reason, completely removes the post payload hash from
`params`. Note that a "multipart/form-data" request and GET parameters work
just fine.

Advice as to a workaround that preserves "application/json" POST request
parameters would be appreciated.

-- 
Best Regards,
Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ