diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2012-05-30 15:13:03 -0700 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2012-05-30 15:13:42 -0700 |
| commit | dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d (patch) | |
| tree | c17cc2176f64fa79dbc90ed132f846a7aa99a4eb /actionpack/lib/action_dispatch/http/request.rb | |
| parent | 71f7917c553cdc9a0ee49e87af0efb7429759718 (diff) | |
| download | rails-dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d.tar.gz rails-dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d.tar.bz2 rails-dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d.zip | |
Strip [nil] from parameters hash.
Thanks to Ben Murphy for reporting this!
CVE-2012-2660
Diffstat (limited to 'actionpack/lib/action_dispatch/http/request.rb')
| -rw-r--r-- | actionpack/lib/action_dispatch/http/request.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb index 820921252d..adbb5d1346 100644 --- a/actionpack/lib/action_dispatch/http/request.rb +++ b/actionpack/lib/action_dispatch/http/request.rb @@ -247,6 +247,28 @@ module ActionDispatch LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip } end + protected + + # Remove nils from the params hash + def deep_munge(hash) + hash.each_value do |v| + case v + when Array + v.grep(Hash) { |x| deep_munge(x) } + when Hash + deep_munge(v) + end + end + + keys = hash.keys.find_all { |k| hash[k] == [nil] } + keys.each { |k| hash[k] = nil } + hash + end + + def parse_query(qs) + deep_munge(super) + end + private def check_method(name) |