diff options
author | Rafael França <rafaelmfranca@gmail.com> | 2019-03-27 16:31:16 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-03-27 16:31:16 -0400 |
commit | 93dbbe3a81bee6da2f1e88ca6971299b462cad93 (patch) | |
tree | f2e207eac70d70ee375fc69db7c7b03fd133a729 /actionpack | |
parent | 3a0929901ffa852bab9644c662b811d42780c3a1 (diff) | |
parent | 25f2e0c39da2b9c61db75df2d767ee9c10d583b8 (diff) | |
download | rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.gz rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.bz2 rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.zip |
Merge pull request #35236 from renuo/fix-30467
Prohibit sneaky custom params from being drawn (Fix #30467)
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/CHANGELOG.md | 15 | ||||
-rw-r--r-- | actionpack/lib/action_dispatch/routing/mapper.rb | 4 | ||||
-rw-r--r-- | actionpack/test/dispatch/routing_test.rb | 10 |
3 files changed, 29 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 2df6f5fc09..9931a0de81 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,18 @@ +* Raise an `ArgumentError` if a resource custom param contains a colon (`:`). + + After this change it's not possible anymore to configure routes like this: + + ``` + routes.draw do + resources :users, param: 'name/:sneaky' + end + ``` + + Fixes #30467. + + *Josua Schmid* + + ## Rails 6.0.0.beta3 (March 11, 2019) ## * No changes. diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb index da3ade652e..2d2073de9a 100644 --- a/actionpack/lib/action_dispatch/routing/mapper.rb +++ b/actionpack/lib/action_dispatch/routing/mapper.rb @@ -1141,6 +1141,10 @@ module ActionDispatch attr_reader :controller, :path, :param def initialize(entities, api_only, shallow, options = {}) + if options[:param].to_s.include?(":") + raise ArgumentError, ":param option can't contain colons" + end + @name = entities.to_s @path = (options[:path] || @name).to_s @controller = (options[:controller] || @name).to_s diff --git a/actionpack/test/dispatch/routing_test.rb b/actionpack/test/dispatch/routing_test.rb index 897d17885e..7b763ec2bd 100644 --- a/actionpack/test/dispatch/routing_test.rb +++ b/actionpack/test/dispatch/routing_test.rb @@ -3338,6 +3338,16 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest assert_equal "0c0c0b68-d24b-11e1-a861-001ff3fffe6f", @request.params[:download] end + def test_colon_containing_custom_param + ex = assert_raises(ArgumentError) { + draw do + resources :profiles, param: "username/:is_admin" + end + } + + assert_match(/:param option can't contain colon/, ex.message) + end + def test_action_from_path_is_not_frozen draw do get "search" => "search" |