Mime v2.0.4 has been released with a potential security fix

Hi everyone,

We have just released Mime v2.0.4 with a potential security fix. Before this version, Mime.extensions("foo/bar+baz") would return “baz” as an extension, whatever “baz” is. So for example:

iex> Mime.extensions("foo/bar+custom/../baz/bat")

This release makes it so it only returns known registered suffixes, by default: gzip, xml, json, and zip.

I have checked Plug, Phoenix, LiveView and I could not find any indication of this behavior being used as an attach vector. In any case, I recommend upgrading, especially if you use Mime.extensions in your own application.

A huge thank you to @MullPointer for the original report: Only return extensions for known structured syntax suffixes by MullPointer · Pull Request #76 · elixir-plug/mime · GitHub