diff options
author | Lukasz Sarnacki <lukesarnacki@gmail.com> | 2014-01-23 16:31:52 +0100 |
---|---|---|
committer | Lukasz Sarnacki <lukesarnacki@gmail.com> | 2014-01-28 20:29:38 +0100 |
commit | 69ab91ae9396f0101afd13871f179a7f779d3178 (patch) | |
tree | 5fea152a7fce596367503badf11bc21fe2e4e0c4 /guides/source/action_controller_overview.md | |
parent | b9cd5a29dd4c6142b19c861fbf1a67452320b3dd (diff) | |
download | rails-69ab91ae9396f0101afd13871f179a7f779d3178.tar.gz rails-69ab91ae9396f0101afd13871f179a7f779d3178.tar.bz2 rails-69ab91ae9396f0101afd13871f179a7f779d3178.zip |
Log which keys were set to nil in deep_munge
deep_munge solves CVE-2013-0155 security vulnerability, but its
behaviour is definately confuisng. This commit adds logging to deep_munge.
It logs keys for which values were set to nil.
Also mentions in guides were added.
Diffstat (limited to 'guides/source/action_controller_overview.md')
-rw-r--r-- | guides/source/action_controller_overview.md | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index f394daa6aa..c55637eb0a 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -112,6 +112,10 @@ NOTE: The actual URL in this example will be encoded as "/clients?ids%5b%5d=1&id The value of `params[:ids]` will now be `["1", "2", "3"]`. Note that parameter values are always strings; Rails makes no attempt to guess or cast the type. +NOTE: Values such as `[]`, `[nil]` or `[nil, nil, ...]` in `params` are replaced +with `nil` for security reasons by default. See [Security Guide](security.html#unsafe-query-generation) +for more information. + To send a hash you include the key name inside the brackets: ```html |