diff options
| author | Louise Crow <louise.crow@gmail.com> | 2013-12-04 07:47:36 +0000 | 
|---|---|---|
| committer | Louise Crow <louise.crow@gmail.com> | 2013-12-04 07:47:36 +0000 | 
| commit | 4eb8432dedc8b521086cdf163ebe5d373396d39a (patch) | |
| tree | 0fee3baa4d0832de0b24b245de603b40b902041a | |
| parent | 94f38b7dd382a7cc2523072f30996365fe8cbacf (diff) | |
Apply monkey patch for CVE-2013-6414.0.15.0.2hotfix/0.15.0.2
| -rw-r--r-- | config/initializers/rails_security_patches.rb | 22 | 
1 files changed, 22 insertions, 0 deletions
| diff --git a/config/initializers/rails_security_patches.rb b/config/initializers/rails_security_patches.rb new file mode 100644 index 000000000..b7f013d04 --- /dev/null +++ b/config/initializers/rails_security_patches.rb @@ -0,0 +1,22 @@ +# Temporary patches for Rails security alert made on 03/12/2013 + +# CVE-2013-6414 https://groups.google.com/forum/#!topic/rubyonrails-security/A-ebV4WxzKg + +ActiveSupport.on_load(:action_view) do +  ActionView::LookupContext::DetailsKey.class_eval do +    class << self +      alias :old_get :get + +      def get(details) +        if details[:formats] +          details = details.dup +          syms    = Set.new Mime::SET.symbols +          details[:formats] = details[:formats].select { |v| +            syms.include? v +          } +        end +        old_get details +      end +    end +  end +end | 
