aboutsummaryrefslogtreecommitdiffstats
path: root/activejob/lib/active_job
diff options
context:
space:
mode:
authorRafael Mendonça França <rafaelmfranca@gmail.com>2018-09-05 17:38:09 -0400
committerRafael Mendonça França <rafaelmfranca@gmail.com>2018-11-27 15:28:41 -0500
commit72300f9742745f9535b06d45a9632e948ed7d79b (patch)
tree7d1f203574ac445f8532e68f9b75886f2d282b61 /activejob/lib/active_job
parentddaca7ccec208ee80652e696e001671fd6e735f9 (diff)
downloadrails-72300f9742745f9535b06d45a9632e948ed7d79b.tar.gz
rails-72300f9742745f9535b06d45a9632e948ed7d79b.tar.bz2
rails-72300f9742745f9535b06d45a9632e948ed7d79b.zip
Do not deserialize GlobalID objects that were not generated by Active Job
Trusting any GlobaID object when deserializing jobs can allow attackers to access information that should not be accessible to them. Fix CVE-2018-16476.
Diffstat (limited to 'activejob/lib/active_job')
-rw-r--r--activejob/lib/active_job/arguments.rb2
1 files changed, 1 insertions, 1 deletions
diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
index fa58c50ed0..92eb58aaaf 100644
--- a/activejob/lib/active_job/arguments.rb
+++ b/activejob/lib/active_job/arguments.rb
@@ -91,7 +91,7 @@ module ActiveJob
def deserialize_argument(argument)
case argument
when String
- GlobalID::Locator.locate(argument) || argument
+ argument
when *PERMITTED_TYPES
argument
when Array