aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/routing/url_for.rb
diff options
context:
space:
mode:
authorJean Boussier <jean.boussier@gmail.com>2015-07-07 13:47:16 -0400
committerJean Boussier <jean.boussier@gmail.com>2015-12-15 13:16:54 +0100
commit4752e7d83794ecf23c6d0367f0bcad8eee33da59 (patch)
treeff8f521583023efd23f62a7e584bd69660bd9c05 /actionpack/lib/action_dispatch/routing/url_for.rb
parent2dd64a7bbb0cb7b65976cb0516d0f338b099a715 (diff)
downloadrails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.tar.gz
rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.tar.bz2
rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.zip
Prevent ActionController::Parameters from being passed to url_for directly
Diffstat (limited to 'actionpack/lib/action_dispatch/routing/url_for.rb')
-rw-r--r--actionpack/lib/action_dispatch/routing/url_for.rb5
1 files changed, 4 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/routing/url_for.rb b/actionpack/lib/action_dispatch/routing/url_for.rb
index b6c031dcf4..f91679593e 100644
--- a/actionpack/lib/action_dispatch/routing/url_for.rb
+++ b/actionpack/lib/action_dispatch/routing/url_for.rb
@@ -172,8 +172,11 @@ module ActionDispatch
_routes.url_for(options.symbolize_keys.reverse_merge!(url_options),
route_name)
when ActionController::Parameters
+ unless options.permitted?
+ raise ArgumentError.new("Generating an URL from non sanitized request parameters is insecure!")
+ end
route_name = options.delete :use_route
- _routes.url_for(options.to_unsafe_h.symbolize_keys.
+ _routes.url_for(options.to_h.symbolize_keys.
reverse_merge!(url_options), route_name)
when String
options
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-28 14:20:15 +0000