diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 11:37:48 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 11:37:48 -0800 |
commit | 48810a52dfba26cef127168af447a9620d4555c3 (patch) | |
tree | 5df95d8adbfcade0f7fedcc06e8e4fe1cdab6580 /actionpack/lib/action_dispatch | |
parent | f64be7d0d825828098617e6b7c2645dda72d4c18 (diff) | |
parent | 746dbd89faf8197e6d6f35f6e428a024923116a2 (diff) | |
download | rails-48810a52dfba26cef127168af447a9620d4555c3.tar.gz rails-48810a52dfba26cef127168af447a9620d4555c3.tar.bz2 rails-48810a52dfba26cef127168af447a9620d4555c3.zip |
Merge branch '3-2-sec' into 3-2-secmerge
* 3-2-sec:
bumping version
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Avoid Rack security warning no secret provided
Conflicts:
actionpack/CHANGELOG.md
activerecord/CHANGELOG.md
activesupport/CHANGELOG.md
Diffstat (limited to 'actionpack/lib/action_dispatch')
-rw-r--r-- | actionpack/lib/action_dispatch/http/request.rb | 10 | ||||
-rw-r--r-- | actionpack/lib/action_dispatch/middleware/params_parser.rb | 4 |
2 files changed, 6 insertions, 8 deletions
diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb index 0413346d94..2fac9668c1 100644 --- a/actionpack/lib/action_dispatch/http/request.rb +++ b/actionpack/lib/action_dispatch/http/request.rb @@ -248,18 +248,14 @@ module ActionDispatch LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip } end - protected - # Remove nils from the params hash def deep_munge(hash) - keys = hash.keys.find_all { |k| hash[k] == [nil] } - keys.each { |k| hash[k] = nil } - - hash.each_value do |v| + hash.each do |k, v| case v when Array v.grep(Hash) { |x| deep_munge(x) } v.compact! + hash[k] = nil if v.empty? when Hash deep_munge(v) end @@ -268,6 +264,8 @@ module ActionDispatch hash end + protected + def parse_query(qs) deep_munge(super) end diff --git a/actionpack/lib/action_dispatch/middleware/params_parser.rb b/actionpack/lib/action_dispatch/middleware/params_parser.rb index 6ded9dbfed..ac726895fa 100644 --- a/actionpack/lib/action_dispatch/middleware/params_parser.rb +++ b/actionpack/lib/action_dispatch/middleware/params_parser.rb @@ -38,13 +38,13 @@ module ActionDispatch when Proc strategy.call(request.raw_post) when :xml_simple, :xml_node - data = Hash.from_xml(request.body.read) || {} + data = request.deep_munge(Hash.from_xml(request.body.read) || {}) request.body.rewind if request.body.respond_to?(:rewind) data.with_indifferent_access when :yaml YAML.load(request.raw_post) when :json - data = ActiveSupport::JSON.decode(request.body) + data = request.deep_munge ActiveSupport::JSON.decode(request.body) request.body.rewind if request.body.respond_to?(:rewind) data = {:_json => data} unless data.is_a?(Hash) data.with_indifferent_access |