josevalim

josevalim

Creator of Elixir

Mime v2.0.4 has been released with a potential security fix

Hi everyone,

We have just released Mime v2.0.4 with a potential security fix. Before this version, Mime.extensions("foo/bar+baz") would return “baz” as an extension, whatever “baz” is. So for example:

iex> Mime.extensions("foo/bar+custom/../baz/bat")
"custom/../baz/bat"

This release makes it so it only returns known registered suffixes, by default: gzip, xml, json, and zip.

I have checked Plug, Phoenix, LiveView and I could not find any indication of this behavior being used as an attach vector. In any case, I recommend upgrading, especially if you use Mime.extensions in your own application.

A huge thank you to @MullPointer for the original report: Only return extensions for known structured syntax suffixes by MullPointer · Pull Request #76 · elixir-plug/mime · GitHub

Where Next?

Popular in News & Updates Top

fhunleth
It looks like it’s finally safe to announce that Nerves supports Erlang/OTP 26 and Elixir 1.15! We’ve updated dozens of Nerves and close...
New
lawik
It is my pleasure to announce the official release of the new generation of NervesHub with the v2.0.0 release. Containers are tagged. :p...
New
zachdaniel
Hey folks! We’re starting a new weekly newsletter with the goings on of the various Ash packages and other interesting news from myself a...
New
bartblast
Hologram v0.9 is out! The headline is a realtime layer - your server can now push updates to connected clients with no polling: broadcast...
New
zachdaniel
The new Ash Framework site and installer are live. Please try it out and let me know what you think!
New
zachdaniel
Hey folks! I’ve begun putting together some concrete, framework-wide tooling and guidance on the usage of LLMs in development. The goal h...
New
josevalim
Hi everyone, We have just released Mime v2.0.4 with a potential security fix. Before this version, Mime.extensions("foo/bar+baz") would ...
New
sorenone
We have for you a new release candidate. Take :notes: if you use partitioned queues or make heavy use of Workflows. This is the RC for yo...
New
zachdaniel
@jimsynz just launched an epic new extension for Ash! It allows you to create rich mix tasks for calling your resource actions directly f...
New
bartblast
Hey! For those following Hologram’s progress… I’m excited to share that I’ve just published the official roadmap for Hologram. You can ch...
New

Other popular topics Top

sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
985 42920 311
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 30877 112
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
AstonJ
Please see the new poll here: Which code editor or IDE do you use? (Poll) (2022 Edition) It’s been a while since we first asked this, I...
208 31142 143
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 36128 110
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement