Re: [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack

[Justin Bull <me () justinbull ca>]

On Mon, Jan 25, 2016 at 2:32 PM, Aaron Patterson <tenderlove () ruby-lang org>
wrote:

> Workarounds
> -----------
> This attack can be mitigated by a proxy that only allows known mime types
> in
> the Accept header.
>
> Placing the following code in an initializer will also mitigate the issue:
>
> ```ruby
> require 'action_dispatch/http/mime_type'
>
> Mime.const_set :LOOKUP, Hash.new { |h,k|
>   Mime::Type.new(k) unless k.blank?
> }
> ```

I know 4.0.x isn't a supported Rails version, but it's worth noting that
with our app, that workaround breaks the `params` hash in Action
Controller. The request must be "application/json" with a POST payload. The
workaround, for some reason, completely removes the post payload hash from
`params`. Note that a "multipart/form-data" request and GET parameters work
just fine.

Advice as to a workaround that preserves "application/json" POST request
parameters would be appreciated.

-- 
Best Regards,
Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C