diff options
| -rw-r--r-- | config/initializers/cve_2013_6414.rb | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/config/initializers/cve_2013_6414.rb b/config/initializers/cve_2013_6414.rb new file mode 100644 index 00000000000..f166e4d1de4 --- /dev/null +++ b/config/initializers/cve_2013_6414.rb @@ -0,0 +1,21 @@ +# Monkey patch for Ruby on Rails vulnerability CVE-2013-6414 +# https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ + +ActiveSupport.on_load(:action_view) do + ActionView::LookupContext::DetailsKey.class_eval do + class << self + alias :old_get :get + + def get(details) + if details[:formats] + details = details.dup + syms = Set.new Mime::SET.symbols + details[:formats] = details[:formats].select { |v| + syms.include? v + } + end + old_get details + end + end + end +end |