diff options
author | Rafael França <rafaelmfranca@gmail.com> | 2015-12-18 12:47:38 -0200 |
---|---|---|
committer | Rafael França <rafaelmfranca@gmail.com> | 2015-12-18 12:47:38 -0200 |
commit | b5c13fcdaa3f3746888b174caa3df2873846df2e (patch) | |
tree | b574a7d913758fbd3dd85e7a84b211c6bd88a122 /actionpack/lib | |
parent | 90101afe1ab9e8d5b241f968f164171c2d9c4fc6 (diff) | |
parent | 4752e7d83794ecf23c6d0367f0bcad8eee33da59 (diff) | |
download | rails-b5c13fcdaa3f3746888b174caa3df2873846df2e.tar.gz rails-b5c13fcdaa3f3746888b174caa3df2873846df2e.tar.bz2 rails-b5c13fcdaa3f3746888b174caa3df2873846df2e.zip |
Merge pull request #20797 from byroot/prevent-url-for-ac-parameters
Prevent ActionController::Parameters in url_for
Diffstat (limited to 'actionpack/lib')
-rw-r--r-- | actionpack/lib/action_controller/metal/redirecting.rb | 1 | ||||
-rw-r--r-- | actionpack/lib/action_dispatch/routing/url_for.rb | 5 |
2 files changed, 4 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb index 513f0bc7e1..b13ba06962 100644 --- a/actionpack/lib/action_controller/metal/redirecting.rb +++ b/actionpack/lib/action_controller/metal/redirecting.rb @@ -60,7 +60,6 @@ module ActionController # def redirect_to(options = {}, response_status = {}) #:doc: raise ActionControllerError.new("Cannot redirect to nil!") unless options - raise ActionControllerError.new("Cannot redirect to a parameter hash!") if options.is_a?(ActionController::Parameters) raise AbstractController::DoubleRenderError if response_body self.status = _extract_redirect_to_status(options, response_status) diff --git a/actionpack/lib/action_dispatch/routing/url_for.rb b/actionpack/lib/action_dispatch/routing/url_for.rb index b6c031dcf4..f91679593e 100644 --- a/actionpack/lib/action_dispatch/routing/url_for.rb +++ b/actionpack/lib/action_dispatch/routing/url_for.rb @@ -172,8 +172,11 @@ module ActionDispatch _routes.url_for(options.symbolize_keys.reverse_merge!(url_options), route_name) when ActionController::Parameters + unless options.permitted? + raise ArgumentError.new("Generating an URL from non sanitized request parameters is insecure!") + end route_name = options.delete :use_route - _routes.url_for(options.to_unsafe_h.symbolize_keys. + _routes.url_for(options.to_h.symbolize_keys. reverse_merge!(url_options), route_name) when String options |