fixing response splitting problem

rails · Aug 16, 2011 · 11dafea · 11dafea
1 parent bb99aa1
commit 11dafea
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/actionpack/lib/action_controller/response.rb b/actionpack/lib/action_controller/response.rb
@@ -64,12 +64,13 @@ def location=(url) headers['Location'] = url end
     # the character set information will also be included in the content type
     # information.
     def content_type=(mime_type)
-      self.headers["Content-Type"] =
+      new_content_type =
         if mime_type =~ /charset/ || (c = charset).nil?
           mime_type.to_s
         else
           "#{mime_type}; charset=#{c}"
         end
+      self.headers["Content-Type"] = URI.escape(new_content_type, "\r\n")
     end
 
     # Returns the response's content MIME type, or nil if content type has been set.

diff --git a/actionpack/test/controller/content_type_test.rb b/actionpack/test/controller/content_type_test.rb
@@ -46,6 +46,11 @@ def render_default_content_types_for_respond_to
       format.rss  { render :text   => "hello world!", :content_type => Mime::XML }
     end
   end
+
+  def render_content_type_from_user_input
+    response.content_type= params[:hello]
+    render :text=>"hello"
+  end
 
   def rescue_action(e) raise end
 end
@@ -129,6 +134,11 @@ def test_change_for_rxml
     assert_equal Mime::HTML, @response.content_type
     assert_equal "utf-8", @response.charset
   end
+
+  def test_user_supplied_value
+    get :render_content_type_from_user_input, :hello=>"hello/world\r\nAttack: true"
+    assert_equal "hello/world%0D%0AAttack: true", @response.content_type
+  end
 end
 
 class AcceptBasedContentTypeTest < ActionController::TestCase