diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 12:11:18 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 12:11:18 -0800 |
commit | 88cc1688d0cb828c17706b41a8bd27870f2a2beb (patch) | |
tree | 1001415a74aa4ba81cc8fc305f4cb7a0bc145afc /actionpack/lib/action_dispatch/middleware/params_parser.rb | |
parent | f049016cd348627bf8db0d72382d7580bf802a79 (diff) | |
parent | 2ced6f2f8a85957b160710ae5d9fb245a6106550 (diff) | |
download | rails-88cc1688d0cb828c17706b41a8bd27870f2a2beb.tar.gz rails-88cc1688d0cb828c17706b41a8bd27870f2a2beb.tar.bz2 rails-88cc1688d0cb828c17706b41a8bd27870f2a2beb.zip |
Merge branch 'master-sec'
* master-sec:
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Diffstat (limited to 'actionpack/lib/action_dispatch/middleware/params_parser.rb')
-rw-r--r-- | actionpack/lib/action_dispatch/middleware/params_parser.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/params_parser.rb b/actionpack/lib/action_dispatch/middleware/params_parser.rb index 2c98ca03a8..951f28f535 100644 --- a/actionpack/lib/action_dispatch/middleware/params_parser.rb +++ b/actionpack/lib/action_dispatch/middleware/params_parser.rb @@ -47,12 +47,12 @@ module ActionDispatch when Proc strategy.call(request.raw_post) when :xml_simple, :xml_node - data = Hash.from_xml(request.raw_post) || {} + data = request.deep_munge(Hash.from_xml(request.body.read) || {}) data.with_indifferent_access when :yaml YAML.load(request.raw_post) when :json - data = ActiveSupport::JSON.decode(request.raw_post) + data = request.deep_munge ActiveSupport::JSON.decode(request.body) data = {:_json => data} unless data.is_a?(Hash) data.with_indifferent_access else |