diff options
author | eileencodes <eileencodes@gmail.com> | 2016-01-28 14:18:01 -0500 |
---|---|---|
committer | eileencodes <eileencodes@gmail.com> | 2016-01-28 14:25:57 -0500 |
commit | 020d6fda29c1f04818dbf467764fc8ac16b7042f (patch) | |
tree | 869199120b460ed7389406847ff152bce347215d /actionpack | |
parent | 9f3730a516f30beb0050caea9539f8d6b808e58a (diff) | |
download | rails-020d6fda29c1f04818dbf467764fc8ac16b7042f.tar.gz rails-020d6fda29c1f04818dbf467764fc8ac16b7042f.tar.bz2 rails-020d6fda29c1f04818dbf467764fc8ac16b7042f.zip |
Regression test for rendering file from absolute path
Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/test/controller/render_test.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb index d1b9586533..2e1a687513 100644 --- a/actionpack/test/controller/render_test.rb +++ b/actionpack/test/controller/render_test.rb @@ -270,6 +270,17 @@ class ExpiresInRenderTest < ActionController::TestCase response.body end + def test_dynamic_render_with_absolute_path + file = Tempfile.new + file.write "secrets!" + file.flush + assert_raises ActionView::MissingTemplate do + response = get :dynamic_render, params: { id: file.path } + end + ensure + file.unlink + end + def test_dynamic_render assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')) assert_raises ActionView::MissingTemplate do |