Only use valid mime type symbols as cache keys

CVE-2013-6414
2026-01-08 22:27:59 -05:00 · 2013-11-30 17:02:53 -08:00
parent 5f844d6cc6
commit bee3b7f937
1 changed files with 7 additions and 0 deletions
--- a/actionpack/lib/action_view/lookup_context.rb
+++ b/actionpack/lib/action_view/lookup_context.rb
@@ -62,6 +62,13 @@ module ActionView
      @details_keys = Hash.new

      def self.get(details)
+        if details[:formats]
+          details = details.dup
+          syms    = Set.new Mime::SET.symbols
+          details[:formats] = details[:formats].select { |v|
+            syms.include? v
+          }
+        end
        @details_keys[details] ||= new
      end