diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-25 11:23:48 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-25 11:23:48 -0800 |
commit | 3b4398bb605cc7b6f475bf76c19aa0702700a199 (patch) | |
tree | 13285c577d9b6aff2fde072a2030b0468a775423 /actionpack/lib/action_view | |
parent | d25e79fba6090d56769da6f0fbb401bb1afdb28a (diff) | |
parent | 8d86637fb64ae8ae81ab71a286ddba02cc3144a4 (diff) | |
download | rails-3b4398bb605cc7b6f475bf76c19aa0702700a199.tar.gz rails-3b4398bb605cc7b6f475bf76c19aa0702700a199.tar.bz2 rails-3b4398bb605cc7b6f475bf76c19aa0702700a199.zip |
Merge branch '3-2-sec' into 3-2-stable
* 3-2-sec:
bumping version
allow :file to be outside rails root, but anything else must be inside the rails view directory
Don't short-circuit reject_if proc
stop caching mime types globally
use secure string comparisons for basic auth username / password
Diffstat (limited to 'actionpack/lib/action_view')
-rw-r--r-- | actionpack/lib/action_view/template/resolver.rb | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb index 47ea8a3c9b..c6db6685e4 100644 --- a/actionpack/lib/action_view/template/resolver.rb +++ b/actionpack/lib/action_view/template/resolver.rb @@ -110,6 +110,9 @@ module ActionView super() end + cattr_accessor :allow_external_files, instance_reader: false, instance_writer: false + self.allow_external_files = false + private def find_templates(name, prefix, partial, details) @@ -122,6 +125,10 @@ module ActionView template_paths = find_template_paths query + unless self.class.allow_external_files + template_paths = reject_files_external_to_app(template_paths) + end + template_paths.map { |template| handler, format = extract_handler_and_format(template, formats) contents = File.binread template @@ -133,6 +140,10 @@ module ActionView } end + def reject_files_external_to_app(files) + files.reject { |filename| !inside_path?(@path, filename) } + end + if RUBY_VERSION >= '2.2.0' def find_template_paths(query) Dir[query].reject { |filename| @@ -153,6 +164,12 @@ module ActionView end end + def inside_path?(path, filename) + filename = File.expand_path(filename) + path = File.join(path, '') + filename.start_with?(path) + end + # Helper for building query glob string based on resolver's pattern. def build_query(path, details) query = @pattern.dup |