Use the reference for the mime type to get the format

Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
rails · Feb 18, 2014 · 388d2f8 · 388d2f8
1 parent eaa2101
commit 388d2f8
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/actionpack/lib/action_view/template/text.rb b/actionpack/lib/action_view/template/text.rb
@@ -23,7 +23,7 @@ def render(*args)
       end
 
       def formats
-        [@mime_type.to_sym]
+        [@mime_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
       end
     end
   end

diff --git a/actionpack/test/template/text_test.rb b/actionpack/test/template/text_test.rb
@@ -0,0 +1,17 @@
+require 'abstract_unit'
+
+class TextTest < ActiveSupport::TestCase
+  test 'formats returns symbol for recognized MIME type' do
+    assert_equal [:text], ActionView::Template::Text.new('', :text).formats
+  end
+
+  test 'formats returns string for recognized MIME type when MIME does not have symbol' do
+    foo = Mime::Type.lookup("foo")
+    assert_nil foo.to_sym
+    assert_equal ['foo'], ActionView::Template::Text.new('', foo).formats
+  end
+
+  test 'formats returns string for unknown MIME type' do
+    assert_equal ['foo'], ActionView::Template::Text.new('', 'foo').formats
+  end
+end