rails: InvalidMimeType exception on a newly created app

Has anyone figured out a way to ignore invalid accept headers (and just default to text/html)? Have a handful of users raise this exception every day because of invalid/malformed mime types. This was not an issue before Rails 6.

Some example types that fail:

Accept text/html,application/xhtml+xml,application/xml;

Accept text/html;q=1.0,application/xhtml+xml;q=1.0,application/xml;q=1.0,text/plain;q=0.9,text/xml;q=1.0,text/tab-separated-values;q=0.8,text/css;q=0.5,image/gif;q=0.5,audio/mpeg;q=0.5,*;q=0.1

Accept /

I am still having this issue at Rails ‘6.1.3.2’

+1 for looking for a way to simply reject bad mime types without triggering an error. My error collection service is full of “errors” like Mime::Type::InvalidMimeType: "../../../../../../../../etc/passwd{{" is not a valid MIME type in my Rails 6 app, when I wish Rails would just quietly reject these requests without logging an error.

@julienchabanon this is only released on 6.1.0.rc1. But you can try the 6-0-stable branch. The fix is also included there.

We also started seeing all kinds of InvalidMimeType errors in our exception tracker after upgrading our app to Rails 6. For the record raising the error was introduced to the mime type parser in https://github.com/rails/rails/pull/35604. Unfortunately this breaking change was never mentioned in the CHANGELOG or upgrade guides.

@eugeneius says:

That exception is already mapped to 406: Not Acceptable;

Indeed a Rails 6.0.3.2 does return an HTTP 406 in this condition. However, it’s logged to the log as if it were an uncaught exception, and caught/reported by my error handling service.

Does anyone know the easiest way to stop having it show up in logs/error handling services as if it were an uncaught exception?

Closed by #40353 and f2caed1e73

I potentially could.

As I think about it… I really feel like it would be better if it were not logging an error at all, but just treating invalid content-type as if the header were missing entirely. (A missing header does not raise an exception). I feel like it’s a bug if any user input can produce an uncaught exception.

However, this is indeed not Rails existing philosophy with RoutingError and may be a more controversial idea, possilby for good reason, there may be good reasons. I don’t really understand why it was changed to be the way it is, haven’t tracked down an explanation in commit messages or PRs, so hard to evaluate it.

So… ok, I can try to work on that PR, if it seems likely to be acceptable. I guess the new exception class can even still < Mime::Type::InvalidMimeType for backwards compat. As usual the hardest part may be the tests.

That sounds like a good change - calling Mime::Type.lookup from application code is documented, and the fact that passing an invalid argument in code like that currently results in a 406 response seems wrong. Are you interested in writing a PR?

How do your applications deal with ActionController::RoutingError exceptions

One way is to add a catch-all route routing to 404. at the end of routes.rb, eg something like match '*path', via: :all, to: 'pages#error_404' I think that approach still works, it’s something some people have been doing for years and can be found in blog posts going back a decade.

That it’s in so many blog posts shows that there’s demand for this sort of thing. There is at least a hacky way to get rid of 404’s from your error log; there is no way to get rid of InvalidMimeType. So it is different in that respect.

But it is kind of hacky; and I don’t think I do it myself. Which makes me think… why aren’t 404’s showing up in my error tracker? I’m guessing it’s defaulting to ignoring them (I don’t think I ever configured it). Perhaps various error tracking services just need to catch up to defaulting to ignoring the new InvalidMimeType errors, like they possibly do 404. Not sure what I think, need to think about it/investigate more.

But it’s definitely a popular thing to want to do (as is suppressing the 404’s as errors!) – if there were a clean/supported way to allow it to be configured or overridden, it would clearly be appreciated. Not sure.

I’m having the same problem with rails (6.0.0). A bunch of our GET request fail with an Mime::Type::InvalidMimeType exception

One Example: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36

“HTTP_ACCEPT” => “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng*/*;q=0.8”,

Mime::Type::InvalidMimeType: “image/apng*/*” is not a valid MIME type [GEM_ROOT]/gems/actionpack-6.0.0/lib/action_dispatch/http/mime_type.rb:235 :in initialize [GEM_ROOT]/gems/actionpack-6.0.0/lib/action_dispatch/http/mime_type.rb:143 :in new [GEM_ROOT]/gems/actionpack-6.0.0/lib/action_dispatch/http/mime_type.rb:143 :in lookup [GEM_ROOT]/gems/actionpack-6.0.0/lib/action_dispatch/http/mime_type.rb:125 :in block in sort! [GEM_ROOT]/gems/actionpack-6.0.0/lib/action_dispatch/http/mime_type.rb:125 :in map! [GEM_ROOT]/gems/actionpack-6.0.0/lib/action_dispatch/http/mime_type.rb:125 :in sort!