GHSA-86g5-2wh3-gc9j

# File Content Disclosure in Action View

Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to `render` which render file contents without a specified accept format. Impacted code in a controller looks something like this:

``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file" end end ```

Rendering templates as opposed to files is not impacted by this vulnerability.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases -------- The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations.

Workarounds ----------- This vulnerability can be mitigated by specifying a format for file rendering, like this:

``` ruby class UserController < ApplicationController def index render file: "#{Rails.root}/some/file", formats: [:html] end end ```

In summary, impacted calls to `render` look like this:

``` render file: "#{Rails.root}/some/file" ```

The vulnerability can be mitigated by changing to this:

``` render file: "#{Rails.root}/some/file", formats: [:html] ```

Other calls to `render` are not impacted.

Alternatively, the following monkey patch can be applied in an initializer:

``` ruby $ cat config/initializers/formats_filter.rb # frozen_string_literal: true

ActionDispatch::Request.prepend(Module.new do def formats super().select do |format| format.symbol || format.ref == "*/*" end end end) ```

Credits ------- Thanks to John Hawthorn <john@hawthorn.email> of GitHub