diff options
author | Xavier Noria <fxn@hashref.com> | 2013-12-21 01:11:47 +0100 |
---|---|---|
committer | Xavier Noria <fxn@hashref.com> | 2013-12-21 01:16:38 +0100 |
commit | 92f9ff8cc325d72d74cbf839ac9ac0acd474a768 (patch) | |
tree | 041cdcdcf7ed07f8efdd1574075f47716212fff8 /actionpack | |
parent | fbb79b517f3127ba620fedd01849f9628b78d6ce (diff) | |
download | rails-92f9ff8cc325d72d74cbf839ac9ac0acd474a768.tar.gz rails-92f9ff8cc325d72d74cbf839ac9ac0acd474a768.tar.bz2 rails-92f9ff8cc325d72d74cbf839ac9ac0acd474a768.zip |
converts hashes in arrays of unfiltered params to unpermitted params [fixes #13382]
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/CHANGELOG.md | 6 | ||||
-rw-r--r-- | actionpack/lib/action_controller/metal/strong_parameters.rb | 13 | ||||
-rw-r--r-- | actionpack/test/controller/parameters/parameters_permit_test.rb | 7 |
3 files changed, 23 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 75d9b557f2..d696656521 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,9 @@ +* Converts hashes in arrays of unfiltered params to unpermitted params. + + Fixes #13382 + + *Xavier Noria* + * New config option to opt out of params "deep munging" that was used to address security vulnerability CVE-2013-0155. In your app config: diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index b4948d99a8..a3ac15a1d2 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -330,11 +330,18 @@ module ActionController private def convert_hashes_to_parameters(key, value) - if value.is_a?(Parameters) || !value.is_a?(Hash) + converted = convert_value_to_parameters(value) + self[key] = converted unless converted.equal?(value) + converted + end + + def convert_value_to_parameters(value) + if value.is_a?(Array) + value.map { |_| convert_value_to_parameters(_) } + elsif value.is_a?(Parameters) || !value.is_a?(Hash) value else - # Convert to Parameters on first access - self[key] = self.class.new(value) + self.class.new(value) end end diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb index b60c5f058d..ba191a7227 100644 --- a/actionpack/test/controller/parameters/parameters_permit_test.rb +++ b/actionpack/test/controller/parameters/parameters_permit_test.rb @@ -153,6 +153,13 @@ class ParametersPermitTest < ActiveSupport::TestCase assert_equal nil, params[:foo] end + test 'hashes in array values get wrapped' do + params = ActionController::Parameters.new(foo: [{}, {}]) + params[:foo].each do |hash| + assert !hash.permitted? + end + end + test "fetch doesnt raise ParameterMissing exception if there is a default" do assert_equal "monkey", @params.fetch(:foo, "monkey") assert_equal "monkey", @params.fetch(:foo) { "monkey" } |