diff options
author | Jean Boussier <jean.boussier@gmail.com> | 2015-07-07 13:47:16 -0400 |
---|---|---|
committer | Jean Boussier <jean.boussier@gmail.com> | 2015-12-15 13:16:54 +0100 |
commit | 4752e7d83794ecf23c6d0367f0bcad8eee33da59 (patch) | |
tree | ff8f521583023efd23f62a7e584bd69660bd9c05 /actionpack/lib/action_dispatch/routing/url_for.rb | |
parent | 2dd64a7bbb0cb7b65976cb0516d0f338b099a715 (diff) | |
download | rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.tar.gz rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.tar.bz2 rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.zip |
Prevent ActionController::Parameters from being passed to url_for directly
Diffstat (limited to 'actionpack/lib/action_dispatch/routing/url_for.rb')
-rw-r--r-- | actionpack/lib/action_dispatch/routing/url_for.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/routing/url_for.rb b/actionpack/lib/action_dispatch/routing/url_for.rb index b6c031dcf4..f91679593e 100644 --- a/actionpack/lib/action_dispatch/routing/url_for.rb +++ b/actionpack/lib/action_dispatch/routing/url_for.rb @@ -172,8 +172,11 @@ module ActionDispatch _routes.url_for(options.symbolize_keys.reverse_merge!(url_options), route_name) when ActionController::Parameters + unless options.permitted? + raise ArgumentError.new("Generating an URL from non sanitized request parameters is insecure!") + end route_name = options.delete :use_route - _routes.url_for(options.to_unsafe_h.symbolize_keys. + _routes.url_for(options.to_h.symbolize_keys. reverse_merge!(url_options), route_name) when String options |