diff options
author | Rafael França <rafaelmfranca@gmail.com> | 2019-03-27 16:31:16 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-03-27 16:31:16 -0400 |
commit | 93dbbe3a81bee6da2f1e88ca6971299b462cad93 (patch) | |
tree | f2e207eac70d70ee375fc69db7c7b03fd133a729 /actionpack/lib/action_dispatch | |
parent | 3a0929901ffa852bab9644c662b811d42780c3a1 (diff) | |
parent | 25f2e0c39da2b9c61db75df2d767ee9c10d583b8 (diff) | |
download | rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.gz rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.bz2 rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.zip |
Merge pull request #35236 from renuo/fix-30467
Prohibit sneaky custom params from being drawn (Fix #30467)
Diffstat (limited to 'actionpack/lib/action_dispatch')
-rw-r--r-- | actionpack/lib/action_dispatch/routing/mapper.rb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb index da3ade652e..2d2073de9a 100644 --- a/actionpack/lib/action_dispatch/routing/mapper.rb +++ b/actionpack/lib/action_dispatch/routing/mapper.rb @@ -1141,6 +1141,10 @@ module ActionDispatch attr_reader :controller, :path, :param def initialize(entities, api_only, shallow, options = {}) + if options[:param].to_s.include?(":") + raise ArgumentError, ":param option can't contain colons" + end + @name = entities.to_s @path = (options[:path] || @name).to_s @controller = (options[:controller] || @name).to_s |