Strip [nil] from parameters hash.

Thanks to Ben Murphy for reporting this! CVE-2012-2660
author: Aaron Patterson <aaron.patterson@gmail.com> 2012-05-30 15:13:03 -0700
committer: Aaron Patterson <aaron.patterson@gmail.com> 2012-05-30 15:13:42 -0700
commit: dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d (patch)
tree: c17cc2176f64fa79dbc90ed132f846a7aa99a4eb /actionpack/lib
parent: 71f7917c553cdc9a0ee49e87af0efb7429759718 (diff)
download: rails-dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d.tar.gz
rails-dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d.tar.bz2
rails-dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d.zip
1 files changed, 22 insertions, 0 deletions
diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
index 820921252d..adbb5d1346 100644
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
@@ -247,6 +247,28 @@ module ActionDispatch
       LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
     end
 
+    protected
+
+    # Remove nils from the params hash
+    def deep_munge(hash)
+      hash.each_value do |v|
+        case v
+        when Array
+          v.grep(Hash) { |x| deep_munge(x) }
+        when Hash
+          deep_munge(v)
+        end
+      end
+
+      keys = hash.keys.find_all { |k| hash[k] == [nil] }
+      keys.each { |k| hash[k] = nil }
+      hash
+    end
+
+    def parse_query(qs)
+      deep_munge(super)
+    end
+
     private
 
     def check_method(name)
author	Aaron Patterson <aaron.patterson@gmail.com>	2012-05-30 15:13:03 -0700
committer	Aaron Patterson <aaron.patterson@gmail.com>	2012-05-30 15:13:42 -0700
commit	dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d (patch)
tree	c17cc2176f64fa79dbc90ed132f846a7aa99a4eb /actionpack/lib
parent	71f7917c553cdc9a0ee49e87af0efb7429759718 (diff)
download	rails-dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d.tar.gz rails-dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d.tar.bz2 rails-dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d.zip