Only use valid mime type symbols as cache keys

CVE-2013-6414 Conflicts: actionpack/lib/action_view/lookup_context.rb
rails · Dec 1, 2013 · 5aeb472 · 5aeb472
1 parent 77403a9
commit 5aeb472
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/actionpack/lib/action_view/lookup_context.rb b/actionpack/lib/action_view/lookup_context.rb
@@ -50,9 +50,20 @@ class DetailsKey #:nodoc:
       @details_keys = Hash.new
 
       def self.get(details)
+        if details[:formats]
+          details = details.dup
+          syms    = Set.new Mime::SET.symbols
+          details[:formats] = details[:formats].select { |v|
+            syms.include? v
+          }
+        end
         @details_keys[details.freeze] ||= new
       end
 
+      def self.clear
+        @details_keys.clear
+      end
+
       def initialize
         @hash = object_hash
       end