stop caching mime types globally

Unknown mime types should not be cached globally. This global cache leads to a memory leak and a denial of service vulnerability. CVE-2016-0751
rails · Jan 22, 2016 · 127967b · 127967b · kevingriffin · Jan 26, 2016
1 parent a6fa396
commit 127967b
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/actionpack/lib/action_dispatch/http/mime_type.rb b/actionpack/lib/action_dispatch/http/mime_type.rb
@@ -22,7 +22,7 @@ def #{method}(*)
 
   SET              = Mimes.new
   EXTENSION_LOOKUP = {}
-  LOOKUP           = Hash.new { |h, k| h[k] = Type.new(k) unless k.blank? }
+  LOOKUP           = {}
 
   def self.[](type)
     return type if type.is_a?(Type)
@@ -85,7 +85,7 @@ class << self
       Q_SEPARATOR_REGEXP = /;\s*q=/
 
       def lookup(string)
-        LOOKUP[string]
+        LOOKUP[string] || Type.new(string)
       end
 
       def lookup_by_extension(extension)
@@ -204,9 +204,12 @@ def unregister(symbol)
       end
     end
 
+    attr_reader :hash
+
     def initialize(string, symbol = nil, synonyms = [])
       @symbol, @synonyms = symbol, synonyms
       @string = string
+      @hash = [@string, @synonyms, @symbol].hash
     end
 
     def to_s
@@ -240,6 +243,13 @@ def ==(mime_type)
       end
     end
 
+    def eql?(other)
+      super || (self.class == other.class &&
+                @string    == other.string &&
+                @synonyms  == other.synonyms &&
+                @symbol    == other.symbol)
+    end
+
     def =~(mime_type)
       return false if mime_type.blank?
       regexp = Regexp.new(Regexp.quote(mime_type.to_s))
@@ -262,6 +272,10 @@ def respond_to?(method, include_private = false) #:nodoc:
       super || method.to_s =~ /(\w+)\?$/
     end
 
+    protected
+
+    attr_reader :string, :synonyms
+
     private
       def method_missing(method, *args)
         if method.to_s =~ /(\w+)\?$/