Package: rails / 2.3.5-1.2+squeeze8

CVE-2011-3186.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
diff --git a/actionpack/lib/action_controller/response.rb b/actionpack/lib/action_controller/response.rb
index 815f749..ff1702e 100644
--- a/actionpack/lib/action_controller/response.rb
+++ b/actionpack/lib/action_controller/response.rb
@@ -64,12 +64,13 @@ module ActionController # :nodoc:
     # the character set information will also be included in the content type
     # information.
     def content_type=(mime_type)
-      self.headers["Content-Type"] =
+      new_content_type =
         if mime_type =~ /charset/ || (c = charset).nil?
           mime_type.to_s
         else
           "#{mime_type}; charset=#{c}"
         end
+      self.headers["Content-Type"] = URI.escape(new_content_type, "\r\n")
     end
 
     # Returns the response's content MIME type, or nil if content type has been set.
diff --git a/actionpack/test/controller/content_type_test.rb b/actionpack/test/controller/content_type_test.rb
index 32c1757..852fbfa 100644
--- a/actionpack/test/controller/content_type_test.rb
+++ b/actionpack/test/controller/content_type_test.rb
@@ -46,6 +46,11 @@ class ContentTypeController < ActionController::Base
       format.rss  { render :text   => "hello world!", :content_type => Mime::XML }
     end
   end
+  
+  def render_content_type_from_user_input
+    response.content_type= params[:hello]
+    render :text=>"hello"
+  end
 
   def rescue_action(e) raise end
 end
@@ -129,6 +134,11 @@ class ContentTypeTest < ActionController::TestCase
     assert_equal Mime::HTML, @response.content_type
     assert_equal "utf-8", @response.charset
   end
+  
+  def test_user_supplied_value
+    get :render_content_type_from_user_input, :hello=>"hello/world\r\nAttack: true"
+    assert_equal "hello/world%0D%0AAttack: true", @response.content_type
+  end
 end
 
 class AcceptBasedContentTypeTest < ActionController::TestCase