Merge pull request #35236 from renuo/fix-30467

Prohibit sneaky custom params from being drawn (Fix #30467)
author: Rafael França <rafaelmfranca@gmail.com> 2019-03-27 16:31:16 -0400
committer: GitHub <noreply@github.com> 2019-03-27 16:31:16 -0400
commit: 93dbbe3a81bee6da2f1e88ca6971299b462cad93 (patch)
tree: f2e207eac70d70ee375fc69db7c7b03fd133a729 /actionpack/lib/action_dispatch
parent: 3a0929901ffa852bab9644c662b811d42780c3a1 (diff)
parent: 25f2e0c39da2b9c61db75df2d767ee9c10d583b8 (diff)
download: rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.gz
rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.bz2
rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index da3ade652e..2d2073de9a 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -1141,6 +1141,10 @@ module ActionDispatch
           attr_reader :controller, :path, :param
 
           def initialize(entities, api_only, shallow, options = {})
+            if options[:param].to_s.include?(":")
+              raise ArgumentError, ":param option can't contain colons"
+            end
+
             @name       = entities.to_s
             @path       = (options[:path] || @name).to_s
             @controller = (options[:controller] || @name).to_s
author	Rafael França <rafaelmfranca@gmail.com>	2019-03-27 16:31:16 -0400
committer	GitHub <noreply@github.com>	2019-03-27 16:31:16 -0400
commit	93dbbe3a81bee6da2f1e88ca6971299b462cad93 (patch)
tree	f2e207eac70d70ee375fc69db7c7b03fd133a729 /actionpack/lib/action_dispatch
parent	3a0929901ffa852bab9644c662b811d42780c3a1 (diff)
parent	25f2e0c39da2b9c61db75df2d767ee9c10d583b8 (diff)
download	rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.gz rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.bz2 rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.zip