Monkey patch actionmailer for CVE-2013-43890.14.0.3hotfix/0.14.0.3

http://seclists.org/oss-sec/2013/q4/118

2 files changed, 16 insertions, 0 deletions

diff --git a/config/initializers/alaveteli.rb b/config/initializers/alaveteli.rb
index 8ae78c80c..4041ef7a8 100644
--- a/config/initializers/alaveteli.rb
+++ b/config/initializers/alaveteli.rb
@@ -50,6 +50,7 @@ require 'normalize_string'
 require 'alaveteli_file_types'
 require 'alaveteli_localization'
 require 'message_prominence'
+require 'actionmailer_patches'
 
 AlaveteliLocalization.set_locales(AlaveteliConfiguration::available_locales,
                                   AlaveteliConfiguration::default_locale)
diff --git a/lib/actionmailer_patches.rb b/lib/actionmailer_patches.rb
new file mode 100644
index 000000000..600d3c8cc
--- /dev/null
+++ b/lib/actionmailer_patches.rb
@@ -0,0 +1,15 @@
+# Monkey patch for CVE-2013-4389
+# derived from http://seclists.org/oss-sec/2013/q4/118 to fix
+# a possible DoS vulnerability in the log subscriber component of
+# Action Mailer.
+
+require 'action_mailer'
+module ActionMailer
+  class LogSubscriber < ActiveSupport::LogSubscriber
+    def deliver(event)
+      recipients = Array.wrap(event.payload[:to]).join(', ')
+      info("\nSent mail to #{recipients} (#{event.duration.round(1)}ms)")
+      debug(event.payload[:mail])
+    end
+  end
+end