oss-sec mailing list archives
Re: [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack
From: Justin Bull <me () justinbull ca>
Date: Wed, 27 Jan 2016 10:47:18 -0500
On Mon, Jan 25, 2016 at 2:32 PM, Aaron Patterson <tenderlove () ruby-lang org> wrote:
Workarounds ----------- This attack can be mitigated by a proxy that only allows known mime types in the Accept header. Placing the following code in an initializer will also mitigate the issue: ```ruby require 'action_dispatch/http/mime_type' Mime.const_set :LOOKUP, Hash.new { |h,k| Mime::Type.new(k) unless k.blank? } ```
I know 4.0.x isn't a supported Rails version, but it's worth noting that with our app, that workaround breaks the `params` hash in Action Controller. The request must be "application/json" with a POST payload. The workaround, for some reason, completely removes the post payload hash from `params`. Note that a "multipart/form-data" request and GET parameters work just fine. Advice as to a workaround that preserves "application/json" POST request parameters would be appreciated. -- Best Regards, Justin Bull PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C
Current thread:
- [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack Aaron Patterson (Jan 25)
- Re: [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack Justin Bull (Jan 27)