diff options
author | Jeremy Kemper <jeremy@bitsweat.net> | 2013-01-05 17:46:26 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 11:09:50 -0800 |
commit | 43109ecb986470ef023a7e91beb9812718f000fe (patch) | |
tree | 933ebe00489ab15c7db8d2622b1433a22d152807 /actionpack/test/controller/webservice_test.rb | |
parent | d5cd97baa44fa66dc681041a213092b45c57c32f (diff) | |
download | rails-43109ecb986470ef023a7e91beb9812718f000fe.tar.gz rails-43109ecb986470ef023a7e91beb9812718f000fe.tar.bz2 rails-43109ecb986470ef023a7e91beb9812718f000fe.zip |
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
Diffstat (limited to 'actionpack/test/controller/webservice_test.rb')
-rw-r--r-- | actionpack/test/controller/webservice_test.rb | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/actionpack/test/controller/webservice_test.rb b/actionpack/test/controller/webservice_test.rb index ae8588cbb0..13b6f4fc39 100644 --- a/actionpack/test/controller/webservice_test.rb +++ b/actionpack/test/controller/webservice_test.rb @@ -118,6 +118,19 @@ class WebServiceTest < ActionDispatch::IntegrationTest end end + def test_post_xml_using_a_disallowed_type_attribute + $stderr = StringIO.new + with_test_route_set do + post '/', '<foo type="symbol">value</foo>', 'CONTENT_TYPE' => 'application/xml' + assert_response 500 + + post '/', '<foo type="yaml">value</foo>', 'CONTENT_TYPE' => 'application/xml' + assert_response 500 + end + ensure + $stderr = STDERR + end + def test_register_and_use_yaml with_test_route_set do with_params_parsers Mime::YAML => Proc.new { |d| YAML.load(d) } do |