Merge pull request #14047 from strzalek/variants-array-check

Check if variant array contains only symbols

2 files changed, 10 insertions, 2 deletions

diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
index b75d7ffe9d..b803ce8b6f 100644
--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
@@ -70,10 +70,10 @@ module ActionDispatch
       def variant=(variant)
         if variant.is_a?(Symbol)
           @variant = [variant]
-        elsif variant.is_a?(Array)
+        elsif variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
           @variant = variant
         else
-          raise ArgumentError, "request.variant must be set to a Symbol or Array, not a #{variant.class}. " \
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
             "For security reasons, never directly set the variant to a user-provided value, " \
             "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
             "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
diff --git a/actionpack/test/dispatch/request_test.rb b/actionpack/test/dispatch/request_test.rb
index df47520850..40e32cb4d3 100644
--- a/actionpack/test/dispatch/request_test.rb
+++ b/actionpack/test/dispatch/request_test.rb
@@ -852,6 +852,14 @@ class RequestTest < ActiveSupport::TestCase
 
     request.variant = [:phone, :tablet]
     assert_equal [:phone, :tablet], request.variant
+
+    assert_raise ArgumentError do
+      request.variant = [:phone, "tablet"]
+    end
+
+    assert_raise ArgumentError do
+      request.variant = "yolo"
+    end
   end
 
   test "setting variant with non symbol value" do