allow :file to be outside rails root, but anything else must be inside the rails view directory

Conflicts:
	actionpack/test/controller/render_test.rb
	actionview/lib/action_view/template/resolver.rb

CVE-2016-0752

1 files changed, 17 insertions, 0 deletions

diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb
index 47ea8a3c9b..c6db6685e4 100644
--- a/actionpack/lib/action_view/template/resolver.rb
+++ b/actionpack/lib/action_view/template/resolver.rb
@@ -110,6 +110,9 @@ module ActionView
       super()
     end
 
+    cattr_accessor :allow_external_files, instance_reader: false, instance_writer: false
+    self.allow_external_files = false
+
     private
 
     def find_templates(name, prefix, partial, details)
@@ -122,6 +125,10 @@ module ActionView
 
       template_paths = find_template_paths query
 
+      unless self.class.allow_external_files
+        template_paths = reject_files_external_to_app(template_paths)
+      end
+
       template_paths.map { |template|
         handler, format = extract_handler_and_format(template, formats)
         contents = File.binread template
@@ -133,6 +140,10 @@ module ActionView
       }
     end
 
+    def reject_files_external_to_app(files)
+      files.reject { |filename| !inside_path?(@path, filename) }
+    end
+
     if RUBY_VERSION >= '2.2.0'
       def find_template_paths(query)
         Dir[query].reject { |filename|
@@ -153,6 +164,12 @@ module ActionView
       end
     end
 
+    def inside_path?(path, filename)
+      filename = File.expand_path(filename)
+      path = File.join(path, '')
+      filename.start_with?(path)
+    end
+
     # Helper for building query glob string based on resolver's pattern.
     def build_query(path, details)
       query = @pattern.dup