diff options
| author | eileencodes <eileencodes@gmail.com> | 2016-01-28 14:18:01 -0500 |
|---|---|---|
| committer | eileencodes <eileencodes@gmail.com> | 2016-01-28 14:20:53 -0500 |
| commit | 81a44518fe1a86e58b21ad46f2cd8302b13203b8 (patch) | |
| tree | 5fa39bdeb238536ee9f92cf505ec7e4bc7d82a98 | |
| parent | 0ace05101b91d669f51fa7c98242881352c53916 (diff) | |
| download | rails-81a44518fe1a86e58b21ad46f2cd8302b13203b8.tar.gz rails-81a44518fe1a86e58b21ad46f2cd8302b13203b8.tar.bz2 rails-81a44518fe1a86e58b21ad46f2cd8302b13203b8.zip | |
Regression test for rendering file from absolute path
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
| -rw-r--r-- | actionpack/test/controller/render_test.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb index a52ba35cba..69469104dd 100644 --- a/actionpack/test/controller/render_test.rb +++ b/actionpack/test/controller/render_test.rb @@ -253,6 +253,17 @@ class TestController < ActionController::Base response.body end + def test_dynamic_render_with_absolute_path + file = Tempfile.new + file.write "secrets!" + file.flush + assert_raises ActionView::MissingTemplate do + response = get :dynamic_render, { id: file.path } + end + ensure + file.unlink + end + def test_dynamic_render assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')) assert_raises ActionView::MissingTemplate do |