Created
January 9, 2013 08:57
-
-
Save jsl/4491687 to your computer and use it in GitHub Desktop.
Fix security vulnerability CVE-2013-0156 in apps that don't need XML and YAML parameter parsing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # These MIME types, which we don't use, are vulnerable per CVE-2013-0156 | |
| ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML) | |
| ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::YAML) |
Author
It's my understanding that you don't need to disable YAML if you disable XML altogether. If you can't disable XML, then you can disable YAML.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This should be put in config/initializers/disable_vulnerable_parameter_parsing.rb.