[DRE-commits] [ruby-actionpack-3.2] 04/06: [CVE-2013-6414] Denial of Service Vulnerability in Action View

[Ondrej Sury]

This is an automated email from the git hooks/post-receive script.

ondrej pushed a commit to branch master-wheezy
in repository ruby-actionpack-3.2.

commit 006a14f153095e4cdfdb1c046635940433807ae8
Author: Ondřej Surý <ondrej at sury.org>
Date:   Wed Dec 4 11:46:19 2013 +0100

    [CVE-2013-6414] Denial of Service Vulnerability in Action View
---
 debian/patches/CVE-2013-6414.patch | 23 +++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 24 insertions(+)

diff --git a/debian/patches/CVE-2013-6414.patch b/debian/patches/CVE-2013-6414.patch
new file mode 100644
index 0000000..f021ae2
--- /dev/null
+++ b/debian/patches/CVE-2013-6414.patch
@@ -0,0 +1,23 @@
+From bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Sat, 30 Nov 2013 17:02:53 -0800
+Subject: [PATCH] Only use valid mime type symbols as cache keys
+
+CVE-2013-6414
+
+--- ruby-actionpack-3.2.orig/lib/action_view/lookup_context.rb
++++ ruby-actionpack-3.2/lib/action_view/lookup_context.rb
+@@ -56,6 +56,13 @@ module ActionView
+       @details_keys = Hash.new
+ 
+       def self.get(details)
++        if details[:formats]
++          details = details.dup
++          syms    = Set.new Mime::SET.symbols
++          details[:formats] = details[:formats].select { |v|
++            syms.include? v
++          }
++        end
+         @details_keys[details] ||= new
+       end
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 07e0d65..4b9d9cc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,4 +5,5 @@ CVE-2013-0155.patch
 CVE-2013-1855.patch
 CVE-2013-1857.patch
 CVE-2013-4491.patch
+CVE-2013-6414.patch
 CVE-2013-6417.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-actionpack-3.2.git