diff options
| author | Derek Prior <derekprior@gmail.com> | 2016-03-25 16:55:59 -0400 |
|---|---|---|
| committer | Kasper Timm Hansen <kaspth@gmail.com> | 2016-04-26 22:14:03 +0200 |
| commit | cacded5a0e0acc0582c2778b9dd8df684451ad53 (patch) | |
| tree | 3128477bccff6657c8b1828063c8bc22ebf7810a /actionpack/lib | |
| parent | f03c27cad2d3b4a9751cccdc3834f719f1cfbaa2 (diff) | |
| download | rails-cacded5a0e0acc0582c2778b9dd8df684451ad53.tar.gz rails-cacded5a0e0acc0582c2778b9dd8df684451ad53.tar.bz2 rails-cacded5a0e0acc0582c2778b9dd8df684451ad53.zip | |
Add more info to insecure URL generation error
I always appreciate having a bit more information as to why something is
now an error. We can use this error to tell people why what they were
previously doing is insecure and give them hints on how to fix it.
Signed-off-by: Kasper Timm Hansen <kaspth@gmail.com>
Diffstat (limited to 'actionpack/lib')
| -rw-r--r-- | actionpack/lib/action_dispatch/routing.rb | 9 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/routing/route_set.rb | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/routing/url_for.rb | 2 |
3 files changed, 11 insertions, 2 deletions
diff --git a/actionpack/lib/action_dispatch/routing.rb b/actionpack/lib/action_dispatch/routing.rb index 79d2f1f13c..67f441dfec 100644 --- a/actionpack/lib/action_dispatch/routing.rb +++ b/actionpack/lib/action_dispatch/routing.rb @@ -252,5 +252,14 @@ module ActionDispatch SEPARATORS = %w( / . ? ) #:nodoc: HTTP_METHODS = [:get, :head, :post, :patch, :put, :delete, :options] #:nodoc: + + #:stopdoc: + INSECURE_URL_PARAMETERS_MESSAGE = <<-MSG.squish + Attempting to generate a URL from non-sanitized request parameters! + + An attacker can inject malicious data into the generated URL, such as + changing the host. Whitelist and sanitize passed parameters to be secure. + MSG + #:startdoc: end end diff --git a/actionpack/lib/action_dispatch/routing/route_set.rb b/actionpack/lib/action_dispatch/routing/route_set.rb index c65dafe9e6..ed7130b58e 100644 --- a/actionpack/lib/action_dispatch/routing/route_set.rb +++ b/actionpack/lib/action_dispatch/routing/route_set.rb @@ -289,7 +289,7 @@ module ActionDispatch if last.permitted? args.pop.to_h else - raise ArgumentError, "Generating a URL from non sanitized request parameters is insecure!" + raise ArgumentError, ActionDispatch::Routing::INSECURE_URL_PARAMETERS_MESSAGE end end helper.call self, args, options diff --git a/actionpack/lib/action_dispatch/routing/url_for.rb b/actionpack/lib/action_dispatch/routing/url_for.rb index 28be189f93..5ee138e6c6 100644 --- a/actionpack/lib/action_dispatch/routing/url_for.rb +++ b/actionpack/lib/action_dispatch/routing/url_for.rb @@ -173,7 +173,7 @@ module ActionDispatch route_name) when ActionController::Parameters unless options.permitted? - raise ArgumentError.new("Generating a URL from non sanitized request parameters is insecure!") + raise ArgumentError.new(ActionDispatch::Routing::INSECURE_URL_PARAMETERS_MESSAGE) end route_name = options.delete :use_route _routes.url_for(options.to_h.symbolize_keys. |