diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 11:37:48 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 11:37:48 -0800 |
commit | 48810a52dfba26cef127168af447a9620d4555c3 (patch) | |
tree | 5df95d8adbfcade0f7fedcc06e8e4fe1cdab6580 /actionpack/test/controller/webservice_test.rb | |
parent | f64be7d0d825828098617e6b7c2645dda72d4c18 (diff) | |
parent | 746dbd89faf8197e6d6f35f6e428a024923116a2 (diff) | |
download | rails-48810a52dfba26cef127168af447a9620d4555c3.tar.gz rails-48810a52dfba26cef127168af447a9620d4555c3.tar.bz2 rails-48810a52dfba26cef127168af447a9620d4555c3.zip |
Merge branch '3-2-sec' into 3-2-secmerge
* 3-2-sec:
bumping version
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Avoid Rack security warning no secret provided
Conflicts:
actionpack/CHANGELOG.md
activerecord/CHANGELOG.md
activesupport/CHANGELOG.md
Diffstat (limited to 'actionpack/test/controller/webservice_test.rb')
-rw-r--r-- | actionpack/test/controller/webservice_test.rb | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/actionpack/test/controller/webservice_test.rb b/actionpack/test/controller/webservice_test.rb index ae8588cbb0..13b6f4fc39 100644 --- a/actionpack/test/controller/webservice_test.rb +++ b/actionpack/test/controller/webservice_test.rb @@ -118,6 +118,19 @@ class WebServiceTest < ActionDispatch::IntegrationTest end end + def test_post_xml_using_a_disallowed_type_attribute + $stderr = StringIO.new + with_test_route_set do + post '/', '<foo type="symbol">value</foo>', 'CONTENT_TYPE' => 'application/xml' + assert_response 500 + + post '/', '<foo type="yaml">value</foo>', 'CONTENT_TYPE' => 'application/xml' + assert_response 500 + end + ensure + $stderr = STDERR + end + def test_register_and_use_yaml with_test_route_set do with_params_parsers Mime::YAML => Proc.new { |d| YAML.load(d) } do |