Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 27 Jan 2016 10:47:18 -0500
From: Justin Bull <>
Subject: Re: [CVE-2016-0751] Possible Object Leak and Denial of Service attack
 in Action Pack

On Mon, Jan 25, 2016 at 2:32 PM, Aaron Patterson <>

> Workarounds
> -----------
> This attack can be mitigated by a proxy that only allows known mime types
> in
> the Accept header.
> Placing the following code in an initializer will also mitigate the issue:
> ```ruby
> require 'action_dispatch/http/mime_type'
> Mime.const_set :LOOKUP, { |h,k|
> unless k.blank?
> }
> ```

I know 4.0.x isn't a supported Rails version, but it's worth noting that
with our app, that workaround breaks the `params` hash in Action
Controller. The request must be "application/json" with a POST payload. The
workaround, for some reason, completely removes the post payload hash from
`params`. Note that a "multipart/form-data" request and GET parameters work
just fine.

Advice as to a workaround that preserves "application/json" POST request
parameters would be appreciated.

Best Regards,
Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ