diff options
author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-02-18 16:12:51 -0300 |
---|---|---|
committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-02-18 16:12:51 -0300 |
commit | 33cb47ee488b2381d87f5bb36818cae5fa76c22e (patch) | |
tree | 8f85e606fc4c0a46475dbbc03f49c64eab674c03 /actionview/test | |
parent | 1879c259b870938c42d5d52f63123bfa0b8c81c8 (diff) | |
download | rails-33cb47ee488b2381d87f5bb36818cae5fa76c22e.tar.gz rails-33cb47ee488b2381d87f5bb36818cae5fa76c22e.tar.bz2 rails-33cb47ee488b2381d87f5bb36818cae5fa76c22e.zip |
Use the reference for the mime type to get the format
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.
Fixes: CVE-2014-0082
Diffstat (limited to 'actionview/test')
-rw-r--r-- | actionview/test/template/html_test.rb | 17 | ||||
-rw-r--r-- | actionview/test/template/text_test.rb | 17 |
2 files changed, 34 insertions, 0 deletions
diff --git a/actionview/test/template/html_test.rb b/actionview/test/template/html_test.rb new file mode 100644 index 0000000000..549c12c88c --- /dev/null +++ b/actionview/test/template/html_test.rb @@ -0,0 +1,17 @@ +require 'abstract_unit' + +class HTMLTest < ActiveSupport::TestCase + test 'formats returns symbol for recognized MIME type' do + assert_equal [:html], ActionView::Template::HTML.new('', :html).formats + end + + test 'formats returns string for recognized MIME type when MIME does not have symbol' do + foo = Mime::Type.lookup("foo") + assert_nil foo.to_sym + assert_equal ['foo'], ActionView::Template::HTML.new('', foo).formats + end + + test 'formats returns string for unknown MIME type' do + assert_equal ['foo'], ActionView::Template::HTML.new('', 'foo').formats + end +end diff --git a/actionview/test/template/text_test.rb b/actionview/test/template/text_test.rb new file mode 100644 index 0000000000..d899d54589 --- /dev/null +++ b/actionview/test/template/text_test.rb @@ -0,0 +1,17 @@ +require 'abstract_unit' + +class TextTest < ActiveSupport::TestCase + test 'formats returns symbol for recognized MIME type' do + assert_equal [:text], ActionView::Template::Text.new('', :text).formats + end + + test 'formats returns string for recognized MIME type when MIME does not have symbol' do + foo = Mime::Type.lookup("foo") + assert_nil foo.to_sym + assert_equal ['foo'], ActionView::Template::Text.new('', foo).formats + end + + test 'formats returns string for unknown MIME type' do + assert_equal ['foo'], ActionView::Template::Text.new('', 'foo').formats + end +end |