CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.

author: Jeremy Kemper <jeremy@bitsweat.net> 2013-01-05 17:46:26 -0700
committer: Aaron Patterson <aaron.patterson@gmail.com> 2013-01-08 11:09:50 -0800
commit: 43109ecb986470ef023a7e91beb9812718f000fe (patch)
tree: 933ebe00489ab15c7db8d2622b1433a22d152807 /actionpack
parent: d5cd97baa44fa66dc681041a213092b45c57c32f (diff)
download: rails-43109ecb986470ef023a7e91beb9812718f000fe.tar.gz
rails-43109ecb986470ef023a7e91beb9812718f000fe.tar.bz2
rails-43109ecb986470ef023a7e91beb9812718f000fe.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/actionpack/test/controller/webservice_test.rb b/actionpack/test/controller/webservice_test.rb
index ae8588cbb0..13b6f4fc39 100644
--- a/actionpack/test/controller/webservice_test.rb
+++ b/actionpack/test/controller/webservice_test.rb
@@ -118,6 +118,19 @@ class WebServiceTest < ActionDispatch::IntegrationTest
     end
   end
 
+  def test_post_xml_using_a_disallowed_type_attribute
+    $stderr = StringIO.new
+    with_test_route_set do
+      post '/', '<foo type="symbol">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+      assert_response 500
+
+      post '/', '<foo type="yaml">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+      assert_response 500
+    end
+  ensure
+    $stderr = STDERR
+  end
+
   def test_register_and_use_yaml
     with_test_route_set do
       with_params_parsers Mime::YAML => Proc.new { |d| YAML.load(d) } do
author	Jeremy Kemper <jeremy@bitsweat.net>	2013-01-05 17:46:26 -0700
committer	Aaron Patterson <aaron.patterson@gmail.com>	2013-01-08 11:09:50 -0800
commit	43109ecb986470ef023a7e91beb9812718f000fe (patch)
tree	933ebe00489ab15c7db8d2622b1433a22d152807 /actionpack
parent	d5cd97baa44fa66dc681041a213092b45c57c32f (diff)
download	rails-43109ecb986470ef023a7e91beb9812718f000fe.tar.gz rails-43109ecb986470ef023a7e91beb9812718f000fe.tar.bz2 rails-43109ecb986470ef023a7e91beb9812718f000fe.zip