From: Chris Lamb <lamby@debian.org> Date: Tue, 20 Nov 2018 10:25:08 +0100 Subject: CVE-2014-10077: Prevent a remote denial-of-service vulnerability via an application crash by engineering a situation where `:some_key` is present in `keep_keys` but not present in the hash. Backported from https://github.com/svenfuchs/i18n/commit/24e71a9a4901ed18c9cab5c53109fd9bf2416bcb --- lib/i18n/core_ext/hash.rb | 2 +- test/core_ext/hash_test.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/i18n/core_ext/hash.rb b/lib/i18n/core_ext/hash.rb index f2a2422..895f41a 100644 --- a/lib/i18n/core_ext/hash.rb +++ b/lib/i18n/core_ext/hash.rb @@ -1,7 +1,7 @@ class Hash def slice(*keep_keys) h = {} - keep_keys.each { |key| h[key] = fetch(key) } + keep_keys.each { |key| h[key] = fetch(key) if has_key?(key) } h end unless Hash.method_defined?(:slice) diff --git a/test/core_ext/hash_test.rb b/test/core_ext/hash_test.rb index 8309336..f7ebd6f 100644 --- a/test/core_ext/hash_test.rb +++ b/test/core_ext/hash_test.rb @@ -14,6 +14,12 @@ class I18nCoreExtHashInterpolationTest < I18n::TestCase assert_equal expected, hash.slice(:foo) end + test "#slice non-existent key" do + hash = { :foo => 'bar', :baz => 'bar' } + expected = { :foo => 'bar' } + assert_equal expected, hash.slice(:foo, :not_here) + end + test "#except" do hash = { :foo => 'bar', :baz => 'bar' } expected = { :foo => 'bar' }