Skip to content

Instantly share code, notes, and snippets.

@dtao

dtao/disable_xml_parameter_parsing.rb

Last active December 11, 2015 00:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dtao/4514320 to your computer and use it in GitHub Desktop.
Save dtao/4514320 to your computer and use it in GitHub Desktop.
Download ZIP
Rails initializer to disable XML parameter parsing to protect against newly discovered exploit
Raw
disable_xml_parameter_parsing.rb
# Disable XML parameter parsing completely as a stopgap measure until upgrading to Rails 2.3.16
# to defend against arbitrary code execution vulnerability; see:
# https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
ActionController::Base.param_parsers.delete(Mime::XML)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment