From ab38aa45497a38bc4a97f5eca430d43989f0b124 Mon Sep 17 00:00:00 2001 From: Cliff Pruitt Date: Tue, 19 Mar 2019 10:57:55 -0400 Subject: [PATCH] Update regular expression for checking valid MIME type MIME Type validation regular expression does not allow for MIME types initialized with strings that contain parameters after the MIME type name. --- actionpack/lib/action_dispatch/http/mime_type.rb | 5 ++++- actionpack/test/dispatch/mime_type_test.rb | 15 +++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/actionpack/lib/action_dispatch/http/mime_type.rb b/actionpack/lib/action_dispatch/http/mime_type.rb index 296a36ad28..962d10d81b 100644 --- a/actionpack/lib/action_dispatch/http/mime_type.rb +++ b/actionpack/lib/action_dispatch/http/mime_type.rb @@ -223,7 +223,10 @@ module Mime attr_reader :hash MIME_NAME = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}" - MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME}))\z/ + MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}" + MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?" + MIME_PARAMETER = "\s*\;\s+#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?" + MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/ class InvalidMimeType < StandardError; end diff --git a/actionpack/test/dispatch/mime_type_test.rb b/actionpack/test/dispatch/mime_type_test.rb index bb3d888e30..50f6c06fee 100644 --- a/actionpack/test/dispatch/mime_type_test.rb +++ b/actionpack/test/dispatch/mime_type_test.rb @@ -181,6 +181,13 @@ class MimeTypeTest < ActiveSupport::TestCase assert_equal "video/*", Mime::Type.new("video/*").to_s end + test "can be initialized with parameters" do + assert_equal "text/html; parameter", Mime::Type.new("text/html; parameter").to_s + assert_equal "text/html; parameter=abc", Mime::Type.new("text/html; parameter=abc").to_s + assert_equal 'text/html; parameter="abc"', Mime::Type.new('text/html; parameter="abc"').to_s + assert_equal 'text/html; parameter=abc; parameter2="xyz"', Mime::Type.new('text/html; parameter=abc; parameter2="xyz"').to_s + end + test "invalid mime types raise error" do assert_raises Mime::Type::InvalidMimeType do Mime::Type.new("too/many/slash") @@ -190,6 +197,14 @@ class MimeTypeTest < ActiveSupport::TestCase Mime::Type.new("missingslash") end + assert_raises Mime::Type::InvalidMimeType do + Mime::Type.new("improper/semicolon;") + end + + assert_raises Mime::Type::InvalidMimeType do + Mime::Type.new('improper/semicolon; parameter=abc; parameter2="xyz";') + end + assert_raises Mime::Type::InvalidMimeType do Mime::Type.new("text/html, text/plain") end