josevalim
Creator of Elixir
Mime v2.0.4 has been released with a potential security fix
Hi everyone,
We have just released Mime v2.0.4 with a potential security fix. Before this version, Mime.extensions("foo/bar+baz") would return “baz” as an extension, whatever “baz” is. So for example:
iex> Mime.extensions("foo/bar+custom/../baz/bat")
"custom/../baz/bat"
This release makes it so it only returns known registered suffixes, by default: gzip, xml, json, and zip.
I have checked Plug, Phoenix, LiveView and I could not find any indication of this behavior being used as an attach vector. In any case, I recommend upgrading, especially if you use Mime.extensions in your own application.
A huge thank you to @MullPointer for the original report: Only return extensions for known structured syntax suffixes by MullPointer · Pull Request #76 · elixir-plug/mime · GitHub
Popular in News & Updates
It looks like it’s finally safe to announce that Nerves supports Erlang/OTP 26 and Elixir 1.15!
We’ve updated dozens of Nerves and close...
New
It is my pleasure to announce the official release of the new generation of NervesHub with the v2.0.0 release.
Containers are tagged. :p...
New
Hey folks! We’re starting a new weekly newsletter with the goings on of the various Ash packages and other interesting news from myself a...
New
Hologram v0.9 is out! The headline is a realtime layer - your server can now push updates to connected clients with no polling: broadcast...
New
The new Ash Framework site and installer are live. Please try it out and let me know what you think!
New
Hey folks! I’ve begun putting together some concrete, framework-wide tooling and guidance on the usage of LLMs in development. The goal h...
New
Hi everyone,
We have just released Mime v2.0.4 with a potential security fix. Before this version, Mime.extensions("foo/bar+baz") would ...
New
We have for you a new release candidate. Take :notes: if you use partitioned queues or make heavy use of Workflows. This is the RC for yo...
New
@jimsynz just launched an epic new extension for Ash! It allows you to create rich mix tasks for calling your resource actions directly f...
New
Hey! For those following Hologram’s progress… I’m excited to share that I’ve just published the official roadmap for Hologram. You can ch...
New
Other popular topics
Hello!
tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability.
After spen...
New
What is the idiomatic way of matching for not nil in Elixir?
E.g.,
First way:
defp halt_if_not_signed_in(conn, signed_in_account) when...
New
After calling mix ecto.create I get this error:
17:00:32.162 [error] GenServer #PID<0.412.0> terminating
** (Postgrex.Error) FATAL...
New
Phoenix 1.4.0 released
Phoenix 1.4 is out! This release ships with exciting new features, most notably
with HTTP2 support, improved deve...
New
i’m a new one to elixir
which editor can i use
vs code? or atom?
Thanks! :smiley:
New
Please see the new poll here: Which code editor or IDE do you use? (Poll) (2022 Edition)
It’s been a while since we first asked this, I...
New
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this:
...
New
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine)
This is a plugin that adds support for Elixir to JetBrains IntelliJ...
New
Hi!
Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









