Prevent ActionController::Parameters from being passed to url_for directly

author: Jean Boussier <jean.boussier@gmail.com> 2015-07-07 13:47:16 -0400
committer: Jean Boussier <jean.boussier@gmail.com> 2015-12-15 13:16:54 +0100
commit: 4752e7d83794ecf23c6d0367f0bcad8eee33da59 (patch)
tree: ff8f521583023efd23f62a7e584bd69660bd9c05 /actionpack/lib
parent: 2dd64a7bbb0cb7b65976cb0516d0f338b099a715 (diff)
download: rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.tar.gz
rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.tar.bz2
rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.zip
2 files changed, 4 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
index 0febc905f1..4d5a709a7e 100644
--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -67,7 +67,6 @@ module ActionController
     # <tt>ActionController::RedirectBackError</tt>.
     def redirect_to(options = {}, response_status = {}) #:doc:
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
-      raise ActionControllerError.new("Cannot redirect to a parameter hash!") if options.is_a?(ActionController::Parameters)
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_status)
diff --git a/actionpack/lib/action_dispatch/routing/url_for.rb b/actionpack/lib/action_dispatch/routing/url_for.rb
index b6c031dcf4..f91679593e 100644
--- a/actionpack/lib/action_dispatch/routing/url_for.rb
+++ b/actionpack/lib/action_dispatch/routing/url_for.rb
@@ -172,8 +172,11 @@ module ActionDispatch
           _routes.url_for(options.symbolize_keys.reverse_merge!(url_options),
                          route_name)
         when ActionController::Parameters
+          unless options.permitted?
+            raise ArgumentError.new("Generating an URL from non sanitized request parameters is insecure!")
+          end
           route_name = options.delete :use_route
-          _routes.url_for(options.to_unsafe_h.symbolize_keys.
+          _routes.url_for(options.to_h.symbolize_keys.
                           reverse_merge!(url_options), route_name)
         when String
           options
author	Jean Boussier <jean.boussier@gmail.com>	2015-07-07 13:47:16 -0400
committer	Jean Boussier <jean.boussier@gmail.com>	2015-12-15 13:16:54 +0100
commit	4752e7d83794ecf23c6d0367f0bcad8eee33da59 (patch)
tree	ff8f521583023efd23f62a7e584bd69660bd9c05 /actionpack/lib
parent	2dd64a7bbb0cb7b65976cb0516d0f338b099a715 (diff)
download	rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.tar.gz rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.tar.bz2 rails-4752e7d83794ecf23c6d0367f0bcad8eee33da59.zip