diff options
| author | Arthur Neves <arthurnn@gmail.com> | 2016-02-02 12:34:11 -0500 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2016-02-29 15:39:12 -0300 |
| commit | 769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9 (patch) | |
| tree | edda5caad1c6f069d2445f9243cd79833243f329 /actionpack/lib/action_view | |
| parent | af9b9132f82d1f468836997c716a02f14e61c38c (diff) | |
| download | rails-769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9.tar.gz rails-769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9.tar.bz2 rails-769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9.zip | |
Don't allow render(params) in view/controller
`render(params)` is dangerous and could be a vector for attackers.
Don't allow calls to render passing params on views or controllers.
On a controller or view, we should not allow something like `render
params[:id]` or `render params`.
That could be problematic, because an attacker could pass input that
could lead to a remote code execution attack.
This patch is also compatible when using strong parameters.
CVE-2016-2098
Diffstat (limited to 'actionpack/lib/action_view')
| -rw-r--r-- | actionpack/lib/action_view/renderer/renderer.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/actionpack/lib/action_view/renderer/renderer.rb b/actionpack/lib/action_view/renderer/renderer.rb index bf1b5a7d22..0f359899d6 100644 --- a/actionpack/lib/action_view/renderer/renderer.rb +++ b/actionpack/lib/action_view/renderer/renderer.rb @@ -11,6 +11,11 @@ module ActionView # Main render entry point shared by AV and AC. def render(context, options) + if (options.is_a?(HashWithIndifferentAccess) && !options.respond_to?(:permitted?)) || + (options.respond_to?(:permitted?) && !options.permitted?) + raise ArgumentError, "render parameters are not permitted" + end + if options.key?(:partial) render_partial(context, options) else |