aboutsummaryrefslogtreecommitdiffstats
path: root/activemodel/lib/active_model/validations/confirmation.rb
diff options
context:
space:
mode:
authorArthur Neves <arthurnn@gmail.com>2016-02-02 12:34:11 -0500
committerRafael Mendonça França <rafaelmfranca@gmail.com>2016-02-29 15:39:12 -0300
commit769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9 (patch)
treeedda5caad1c6f069d2445f9243cd79833243f329 /activemodel/lib/active_model/validations/confirmation.rb
parentaf9b9132f82d1f468836997c716a02f14e61c38c (diff)
downloadrails-769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9.tar.gz
rails-769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9.tar.bz2
rails-769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9.zip
Don't allow render(params) in view/controller
`render(params)` is dangerous and could be a vector for attackers. Don't allow calls to render passing params on views or controllers. On a controller or view, we should not allow something like `render params[:id]` or `render params`. That could be problematic, because an attacker could pass input that could lead to a remote code execution attack. This patch is also compatible when using strong parameters. CVE-2016-2098
Diffstat (limited to 'activemodel/lib/active_model/validations/confirmation.rb')
0 files changed, 0 insertions, 0 deletions