diff options
| author | Arthur Neves <arthurnn@gmail.com> | 2016-02-02 12:34:11 -0500 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2016-02-29 15:39:02 -0300 |
| commit | af9b9132f82d1f468836997c716a02f14e61c38c (patch) | |
| tree | 206e4b89c5486826efdd5223f17a8767e047cc48 /actionpack/lib/action_view/path_set.rb | |
| parent | 9892626579d1c62c367e5344a1d1642708340f88 (diff) | |
| download | rails-af9b9132f82d1f468836997c716a02f14e61c38c.tar.gz rails-af9b9132f82d1f468836997c716a02f14e61c38c.tar.bz2 rails-af9b9132f82d1f468836997c716a02f14e61c38c.zip | |
Complete work on 3.2 for render_data_leak patch.
Render could leak access to external files before this patch.
A previous patch(CVE-2016-0752), attempted to fix this. However the tests
were miss-placed outside the TestCase subclass, so they were not running.
We should allow :file to be outside rails root, but anything else must
be inside the rails view directory.
The implementation has changed a bit though. Now the patch is more
similar with the 4.x series patches.
Now `render 'foo/bar'`, will add a special key in the options
hash, and not use the :file one, so when we look up that file, we
don't set the fallbacks, and only lookup a template, to constraint the
folders that can be accessed.
CVE-2016-2097
Diffstat (limited to 'actionpack/lib/action_view/path_set.rb')
| -rw-r--r-- | actionpack/lib/action_view/path_set.rb | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/actionpack/lib/action_view/path_set.rb b/actionpack/lib/action_view/path_set.rb index bbb1af8154..1c54a970cb 100644 --- a/actionpack/lib/action_view/path_set.rb +++ b/actionpack/lib/action_view/path_set.rb @@ -58,23 +58,35 @@ module ActionView #:nodoc: find_all(*args).first || raise(MissingTemplate.new(self, *args)) end + def find_file(path, prefixes = [], *args) + _find_all(path, prefixes, args, true).first || raise(MissingTemplate.new(self, path, prefixes, *args)) + end + def find_all(path, prefixes = [], *args) + _find_all path, prefixes, args, false + end + + def exists?(path, prefixes, *args) + find_all(path, prefixes, *args).any? + end + + private + + def _find_all(path, prefixes, args, outside_app) prefixes = [prefixes] if String === prefixes prefixes.each do |prefix| paths.each do |resolver| - templates = resolver.find_all(path, prefix, *args) + if outside_app + templates = resolver.find_all_anywhere(path, prefix, *args) + else + templates = resolver.find_all(path, prefix, *args) + end return templates unless templates.empty? end end [] end - def exists?(path, prefixes, *args) - find_all(path, prefixes, *args).any? - end - - private - def typecast(paths) paths.map do |path| case path |