diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 12:11:18 -0800 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 12:11:18 -0800 |
| commit | 88cc1688d0cb828c17706b41a8bd27870f2a2beb (patch) | |
| tree | 1001415a74aa4ba81cc8fc305f4cb7a0bc145afc /actionpack/test/controller | |
| parent | f049016cd348627bf8db0d72382d7580bf802a79 (diff) | |
| parent | 2ced6f2f8a85957b160710ae5d9fb245a6106550 (diff) | |
| download | rails-88cc1688d0cb828c17706b41a8bd27870f2a2beb.tar.gz rails-88cc1688d0cb828c17706b41a8bd27870f2a2beb.tar.bz2 rails-88cc1688d0cb828c17706b41a8bd27870f2a2beb.zip | |
Merge branch 'master-sec'
* master-sec:
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/webservice_test.rb | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/actionpack/test/controller/webservice_test.rb b/actionpack/test/controller/webservice_test.rb index c0b9833603..2602540fbe 100644 --- a/actionpack/test/controller/webservice_test.rb +++ b/actionpack/test/controller/webservice_test.rb @@ -116,6 +116,19 @@ class WebServiceTest < ActionDispatch::IntegrationTest end end + def test_post_xml_using_a_disallowed_type_attribute + $stderr = StringIO.new + with_test_route_set do + post '/', '<foo type="symbol">value</foo>', 'CONTENT_TYPE' => 'application/xml' + assert_response 500 + + post '/', '<foo type="yaml">value</foo>', 'CONTENT_TYPE' => 'application/xml' + assert_response 500 + end + ensure + $stderr = STDERR + end + def test_register_and_use_yaml with_test_route_set do with_params_parsers Mime::YAML => Proc.new { |d| YAML.load(d) } do |