Complete work on 3.2 for render_data_leak patch.

Render could leak access to external files before this patch.
A previous patch(CVE-2016-0752), attempted to fix this. However the tests
were miss-placed outside the TestCase subclass, so they were not running.

We should allow :file to be outside rails root, but anything else must
be inside the rails view directory.

The implementation has changed a bit though. Now the patch is more
similar with the 4.x series patches.
Now `render 'foo/bar'`, will add a special key in the options
hash, and not use the :file one, so when we look up that file, we
don't set the fallbacks, and only lookup a template, to constraint the
folders that can be accessed.

CVE-2016-2097

0 files changed, 0 insertions, 0 deletions