Only use valid mime type symbols as cache keys

CVE-2013-6414
author: Aaron Patterson <aaron.patterson@gmail.com> 2013-11-30 17:02:53 -0800
committer: Aaron Patterson <aaron.patterson@gmail.com> 2013-11-30 17:03:18 -0800
commit: bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068 (patch)
tree: 26c522ba88a0b02a60d4c291a8b3d2952020921d /actionpack/lib/action_view
parent: 5f844d6cc6b2c8ee54d8bfcd00b18d411f406c93 (diff)
download: rails-bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068.tar.gz
rails-bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068.tar.bz2
rails-bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/actionpack/lib/action_view/lookup_context.rb b/actionpack/lib/action_view/lookup_context.rb
index 9f617a9a53..9331d13577 100644
--- a/actionpack/lib/action_view/lookup_context.rb
+++ b/actionpack/lib/action_view/lookup_context.rb
@@ -62,6 +62,13 @@ module ActionView
       @details_keys = Hash.new
 
       def self.get(details)
+        if details[:formats]
+          details = details.dup
+          syms    = Set.new Mime::SET.symbols
+          details[:formats] = details[:formats].select { |v|
+            syms.include? v
+          }
+        end
         @details_keys[details] ||= new
       end
author	Aaron Patterson <aaron.patterson@gmail.com>	2013-11-30 17:02:53 -0800
committer	Aaron Patterson <aaron.patterson@gmail.com>	2013-11-30 17:03:18 -0800
commit	bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068 (patch)
tree	26c522ba88a0b02a60d4c291a8b3d2952020921d /actionpack/lib/action_view
parent	5f844d6cc6b2c8ee54d8bfcd00b18d411f406c93 (diff)
download	rails-bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068.tar.gz rails-bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068.tar.bz2 rails-bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068.zip