diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-20 10:39:19 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-22 15:01:49 -0800 |
commit | 18269d250fa58001ce7d8318571546aa90412975 (patch) | |
tree | bb44a4b20c0964b201d38ed864f7ad6b19b3fb60 /actionpack/test/controller/new_base/render_file_test.rb | |
parent | cdabc95608336dbea7b6a3a3e925de5bbd5313ba (diff) | |
download | rails-18269d250fa58001ce7d8318571546aa90412975.tar.gz rails-18269d250fa58001ce7d8318571546aa90412975.tar.bz2 rails-18269d250fa58001ce7d8318571546aa90412975.zip |
allow :file to be outside rails root, but anything else must be inside the rails view directory
Conflicts:
actionpack/test/controller/render_test.rb
actionview/lib/action_view/template/resolver.rb
CVE-2016-0752
Diffstat (limited to 'actionpack/test/controller/new_base/render_file_test.rb')
-rw-r--r-- | actionpack/test/controller/new_base/render_file_test.rb | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/actionpack/test/controller/new_base/render_file_test.rb b/actionpack/test/controller/new_base/render_file_test.rb index a961cbf849..c0e23db457 100644 --- a/actionpack/test/controller/new_base/render_file_test.rb +++ b/actionpack/test/controller/new_base/render_file_test.rb @@ -72,13 +72,23 @@ module RenderFile end test "rendering a relative path" do - get :relative_path - assert_response "The secret is in the sauce\n" + begin + ActionView::PathResolver.allow_external_files = true + get :relative_path + assert_response "The secret is in the sauce\n" + ensure + ActionView::PathResolver.allow_external_files = false + end end test "rendering a relative path with dot" do - get :relative_path_with_dot - assert_response "The secret is in the sauce\n" + begin + ActionView::PathResolver.allow_external_files = true + get :relative_path_with_dot + assert_response "The secret is in the sauce\n" + ensure + ActionView::PathResolver.allow_external_files = false + end end test "rendering a Pathname" do |