aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/new_base/render_text_test.rb
diff options
context:
space:
mode:
authorArthur Neves <arthurnn@gmail.com>2016-02-02 12:34:11 -0500
committerRafael Mendonça França <rafaelmfranca@gmail.com>2016-02-29 15:39:02 -0300
commitaf9b9132f82d1f468836997c716a02f14e61c38c (patch)
tree206e4b89c5486826efdd5223f17a8767e047cc48 /actionpack/test/controller/new_base/render_text_test.rb
parent9892626579d1c62c367e5344a1d1642708340f88 (diff)
downloadrails-af9b9132f82d1f468836997c716a02f14e61c38c.tar.gz
rails-af9b9132f82d1f468836997c716a02f14e61c38c.tar.bz2
rails-af9b9132f82d1f468836997c716a02f14e61c38c.zip
Complete work on 3.2 for render_data_leak patch.
Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097
Diffstat (limited to 'actionpack/test/controller/new_base/render_text_test.rb')
0 files changed, 0 insertions, 0 deletions