diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2017-04-17 18:55:21 -0400 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2017-04-18 18:57:13 -0400 |
| commit | 93034ad7fea7e00562103a7cd0acfab19bbfadf9 (patch) | |
| tree | 9cba660f6dd0e0c26cf9de8ecf0a818c5a87970f /actionpack/lib/action_dispatch | |
| parent | 70c6fb1a06d76d0d6cddb6fb50137aa1341745a0 (diff) | |
| download | rails-93034ad7fea7e00562103a7cd0acfab19bbfadf9.tar.gz rails-93034ad7fea7e00562103a7cd0acfab19bbfadf9.tar.bz2 rails-93034ad7fea7e00562103a7cd0acfab19bbfadf9.zip | |
Reuse the Parameters#to_h check in the routing helpers
Since this protection is now in Parameters we can use it instead of
reimplementing again.
Diffstat (limited to 'actionpack/lib/action_dispatch')
| -rw-r--r-- | actionpack/lib/action_dispatch/routing.rb | 9 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/routing/route_set.rb | 6 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/routing/url_for.rb | 13 |
3 files changed, 4 insertions, 24 deletions
diff --git a/actionpack/lib/action_dispatch/routing.rb b/actionpack/lib/action_dispatch/routing.rb index 60d4789a63..87dd1eba38 100644 --- a/actionpack/lib/action_dispatch/routing.rb +++ b/actionpack/lib/action_dispatch/routing.rb @@ -254,14 +254,5 @@ module ActionDispatch SEPARATORS = %w( / . ? ) #:nodoc: HTTP_METHODS = [:get, :head, :post, :patch, :put, :delete, :options] #:nodoc: - - #:stopdoc: - INSECURE_URL_PARAMETERS_MESSAGE = <<-MSG.squish - Attempting to generate a URL from non-sanitized request parameters! - - An attacker can inject malicious data into the generated URL, such as - changing the host. Whitelist and sanitize passed parameters to be secure. - MSG - #:startdoc: end end diff --git a/actionpack/lib/action_dispatch/routing/route_set.rb b/actionpack/lib/action_dispatch/routing/route_set.rb index 129e90037e..e1f9fc9ecc 100644 --- a/actionpack/lib/action_dispatch/routing/route_set.rb +++ b/actionpack/lib/action_dispatch/routing/route_set.rb @@ -318,11 +318,7 @@ module ActionDispatch when Hash args.pop when ActionController::Parameters - if last.permitted? - args.pop.to_h - else - raise ArgumentError, ActionDispatch::Routing::INSECURE_URL_PARAMETERS_MESSAGE - end + args.pop.to_h end helper.call self, args, options end diff --git a/actionpack/lib/action_dispatch/routing/url_for.rb b/actionpack/lib/action_dispatch/routing/url_for.rb index 008216cc80..a9bdefa775 100644 --- a/actionpack/lib/action_dispatch/routing/url_for.rb +++ b/actionpack/lib/action_dispatch/routing/url_for.rb @@ -171,17 +171,10 @@ module ActionDispatch case options when nil _routes.url_for(url_options.symbolize_keys) - when Hash + when Hash, ActionController::Parameters route_name = options.delete :use_route - _routes.url_for(options.symbolize_keys.reverse_merge!(url_options), - route_name) - when ActionController::Parameters - unless options.permitted? - raise ArgumentError.new(ActionDispatch::Routing::INSECURE_URL_PARAMETERS_MESSAGE) - end - route_name = options.delete :use_route - _routes.url_for(options.to_h.symbolize_keys. - reverse_merge!(url_options), route_name) + merged_url_options = options.to_h.symbolize_keys.reverse_merge!(url_options) + _routes.url_for(merged_url_options, route_name) when String options when Symbol |