diff options
| author | Rafael França <rafaelmfranca@gmail.com> | 2015-12-18 12:47:38 -0200 |
|---|---|---|
| committer | Rafael França <rafaelmfranca@gmail.com> | 2015-12-18 12:47:38 -0200 |
| commit | b5c13fcdaa3f3746888b174caa3df2873846df2e (patch) | |
| tree | b574a7d913758fbd3dd85e7a84b211c6bd88a122 /actionpack/lib/action_dispatch | |
| parent | 90101afe1ab9e8d5b241f968f164171c2d9c4fc6 (diff) | |
| parent | 4752e7d83794ecf23c6d0367f0bcad8eee33da59 (diff) | |
| download | rails-b5c13fcdaa3f3746888b174caa3df2873846df2e.tar.gz rails-b5c13fcdaa3f3746888b174caa3df2873846df2e.tar.bz2 rails-b5c13fcdaa3f3746888b174caa3df2873846df2e.zip | |
Merge pull request #20797 from byroot/prevent-url-for-ac-parameters
Prevent ActionController::Parameters in url_for
Diffstat (limited to 'actionpack/lib/action_dispatch')
| -rw-r--r-- | actionpack/lib/action_dispatch/routing/url_for.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/routing/url_for.rb b/actionpack/lib/action_dispatch/routing/url_for.rb index b6c031dcf4..f91679593e 100644 --- a/actionpack/lib/action_dispatch/routing/url_for.rb +++ b/actionpack/lib/action_dispatch/routing/url_for.rb @@ -172,8 +172,11 @@ module ActionDispatch _routes.url_for(options.symbolize_keys.reverse_merge!(url_options), route_name) when ActionController::Parameters + unless options.permitted? + raise ArgumentError.new("Generating an URL from non sanitized request parameters is insecure!") + end route_name = options.delete :use_route - _routes.url_for(options.to_unsafe_h.symbolize_keys. + _routes.url_for(options.to_h.symbolize_keys. reverse_merge!(url_options), route_name) when String options |