diff options
author | Lukasz Sarnacki <lukesarnacki@gmail.com> | 2014-01-23 16:31:52 +0100 |
---|---|---|
committer | Lukasz Sarnacki <lukesarnacki@gmail.com> | 2014-01-28 20:29:38 +0100 |
commit | 69ab91ae9396f0101afd13871f179a7f779d3178 (patch) | |
tree | 5fea152a7fce596367503badf11bc21fe2e4e0c4 /actionpack/lib/action_dispatch | |
parent | b9cd5a29dd4c6142b19c861fbf1a67452320b3dd (diff) | |
download | rails-69ab91ae9396f0101afd13871f179a7f779d3178.tar.gz rails-69ab91ae9396f0101afd13871f179a7f779d3178.tar.bz2 rails-69ab91ae9396f0101afd13871f179a7f779d3178.zip |
Log which keys were set to nil in deep_munge
deep_munge solves CVE-2013-0155 security vulnerability, but its
behaviour is definately confuisng. This commit adds logging to deep_munge.
It logs keys for which values were set to nil.
Also mentions in guides were added.
Diffstat (limited to 'actionpack/lib/action_dispatch')
-rw-r--r-- | actionpack/lib/action_dispatch/request/utils.rb | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/actionpack/lib/action_dispatch/request/utils.rb b/actionpack/lib/action_dispatch/request/utils.rb index a6dca9741c..9d4f1aa3c5 100644 --- a/actionpack/lib/action_dispatch/request/utils.rb +++ b/actionpack/lib/action_dispatch/request/utils.rb @@ -7,18 +7,23 @@ module ActionDispatch class << self # Remove nils from the params hash - def deep_munge(hash) + def deep_munge(hash, keys = []) return hash unless perform_deep_munge hash.each do |k, v| + keys << k case v when Array - v.grep(Hash) { |x| deep_munge(x) } + v.grep(Hash) { |x| deep_munge(x, keys) } v.compact! - hash[k] = nil if v.empty? + if v.empty? + hash[k] = nil + ActiveSupport::Notifications.instrument("deep_munge.action_controller", keys: keys) + end when Hash - deep_munge(v) + deep_munge(v, keys) end + keys.pop end hash |