diff options
| author | Lukasz Sarnacki <lukesarnacki@gmail.com> | 2014-01-23 16:31:52 +0100 |
|---|---|---|
| committer | Lukasz Sarnacki <lukesarnacki@gmail.com> | 2014-01-28 20:29:38 +0100 |
| commit | 69ab91ae9396f0101afd13871f179a7f779d3178 (patch) | |
| tree | 5fea152a7fce596367503badf11bc21fe2e4e0c4 /actionpack/lib/action_controller | |
| parent | b9cd5a29dd4c6142b19c861fbf1a67452320b3dd (diff) | |
| download | rails-69ab91ae9396f0101afd13871f179a7f779d3178.tar.gz rails-69ab91ae9396f0101afd13871f179a7f779d3178.tar.bz2 rails-69ab91ae9396f0101afd13871f179a7f779d3178.zip | |
Log which keys were set to nil in deep_munge
deep_munge solves CVE-2013-0155 security vulnerability, but its
behaviour is definately confuisng. This commit adds logging to deep_munge.
It logs keys for which values were set to nil.
Also mentions in guides were added.
Diffstat (limited to 'actionpack/lib/action_controller')
| -rw-r--r-- | actionpack/lib/action_controller/log_subscriber.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb index 9279d8bcea..823a1050b5 100644 --- a/actionpack/lib/action_controller/log_subscriber.rb +++ b/actionpack/lib/action_controller/log_subscriber.rb @@ -53,6 +53,15 @@ module ActionController debug("Unpermitted parameters: #{unpermitted_keys.join(", ")}") end + def deep_munge(event) + message = "Value for params[:#{event.payload[:keys].join('][:')}] was set"\ + "to nil, because it was one of [], [null] or [null, null, ...]."\ + "Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation"\ + "for more information."\ + + debug(message) + end + %w(write_fragment read_fragment exist_fragment? expire_fragment expire_page write_page).each do |method| class_eval <<-METHOD, __FILE__, __LINE__ + 1 |