diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-11 14:36:49 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-22 14:59:43 -0800 |
commit | 127967b735813cd4f263df7a50426d74e7e9cc17 (patch) | |
tree | 8b53c6bef3cb50746d87da8b5d427d002aaa73bd /actionpack/lib | |
parent | a6fa3960c3a149e83eb2ff057be4472a82958e3d (diff) | |
download | rails-127967b735813cd4f263df7a50426d74e7e9cc17.tar.gz rails-127967b735813cd4f263df7a50426d74e7e9cc17.tar.bz2 rails-127967b735813cd4f263df7a50426d74e7e9cc17.zip |
stop caching mime types globally
Unknown mime types should not be cached globally. This global cache
leads to a memory leak and a denial of service vulnerability.
CVE-2016-0751
Diffstat (limited to 'actionpack/lib')
-rw-r--r-- | actionpack/lib/action_dispatch/http/mime_type.rb | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/actionpack/lib/action_dispatch/http/mime_type.rb b/actionpack/lib/action_dispatch/http/mime_type.rb index 2152351703..be0088b562 100644 --- a/actionpack/lib/action_dispatch/http/mime_type.rb +++ b/actionpack/lib/action_dispatch/http/mime_type.rb @@ -22,7 +22,7 @@ module Mime SET = Mimes.new EXTENSION_LOOKUP = {} - LOOKUP = Hash.new { |h, k| h[k] = Type.new(k) unless k.blank? } + LOOKUP = {} def self.[](type) return type if type.is_a?(Type) @@ -85,7 +85,7 @@ module Mime Q_SEPARATOR_REGEXP = /;\s*q=/ def lookup(string) - LOOKUP[string] + LOOKUP[string] || Type.new(string) end def lookup_by_extension(extension) @@ -204,9 +204,12 @@ module Mime end end + attr_reader :hash + def initialize(string, symbol = nil, synonyms = []) @symbol, @synonyms = symbol, synonyms @string = string + @hash = [@string, @synonyms, @symbol].hash end def to_s @@ -240,6 +243,13 @@ module Mime end end + def eql?(other) + super || (self.class == other.class && + @string == other.string && + @synonyms == other.synonyms && + @symbol == other.symbol) + end + def =~(mime_type) return false if mime_type.blank? regexp = Regexp.new(Regexp.quote(mime_type.to_s)) @@ -262,6 +272,10 @@ module Mime super || method.to_s =~ /(\w+)\?$/ end + protected + + attr_reader :string, :synonyms + private def method_missing(method, *args) if method.to_s =~ /(\w+)\?$/ |