diff options
| author | devlin zed <me@devlinzed.com> | 2014-02-11 10:44:45 -0500 |
|---|---|---|
| committer | devlin zed <me@devlinzed.com> | 2014-02-11 10:44:45 -0500 |
| commit | ec0664a6eb8906fcd31a53a1efad69bdc7fe6f5b (patch) | |
| tree | 4af90f2225e06ee6269bc3ed894eebcf08992b6b /guides/source | |
| parent | b12c1b858ea8a781d221e94e2fc22bf729fe2086 (diff) | |
| download | rails-ec0664a6eb8906fcd31a53a1efad69bdc7fe6f5b.tar.gz rails-ec0664a6eb8906fcd31a53a1efad69bdc7fe6f5b.tar.bz2 rails-ec0664a6eb8906fcd31a53a1efad69bdc7fe6f5b.zip | |
Don't symbolize tainted data.
`I18n.locale=` symbolizes its argument, so passing it `params[:locale]`
allows one to DOS your application by visiting `...?locale=` URLS
repeatedly, with unique values, until the never-GCed symbols monopolize
the available memory.
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/i18n.md | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/guides/source/i18n.md b/guides/source/i18n.md index d72717fa3b..088080721e 100644 --- a/guides/source/i18n.md +++ b/guides/source/i18n.md @@ -145,7 +145,11 @@ The _setting part_ is easy. You can set the locale in a `before_action` in the ` before_action :set_locale def set_locale - I18n.locale = params[:locale] || I18n.default_locale + if %w[en fr].include?(params[:locale]) + I18n.locale = params[:locale] + else + I18n.locale = I18n.default_locale + end end ``` |