aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/CHANGELOG.md6
-rw-r--r--actionpack/lib/action_dispatch/http/request.rb6
-rw-r--r--actionpack/lib/action_pack/version.rb2
-rw-r--r--actionpack/test/dispatch/request/query_string_parsing_test.rb4
4 files changed, 14 insertions, 4 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 75fb902196..4b483b200f 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,4 +1,8 @@
-## Rails 3.2.6 (unreleased) ##
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+* nil is removed from array parameter values
+
+ CVE-2012-2694
* Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers.
diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
index adbb5d1346..afc0496ef9 100644
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
@@ -251,17 +251,19 @@ module ActionDispatch
# Remove nils from the params hash
def deep_munge(hash)
+ keys = hash.keys.find_all { |k| hash[k] == [nil] }
+ keys.each { |k| hash[k] = nil }
+
hash.each_value do |v|
case v
when Array
v.grep(Hash) { |x| deep_munge(x) }
+ v.compact!
when Hash
deep_munge(v)
end
end
- keys = hash.keys.find_all { |k| hash[k] == [nil] }
- keys.each { |k| hash[k] = nil }
hash
end
diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb
index 8df68441c3..58ccf8ebc2 100644
--- a/actionpack/lib/action_pack/version.rb
+++ b/actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
module VERSION #:nodoc:
MAJOR = 3
MINOR = 2
- TINY = 5
+ TINY = 6
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
diff --git a/actionpack/test/dispatch/request/query_string_parsing_test.rb b/actionpack/test/dispatch/request/query_string_parsing_test.rb
index 181f51add5..bc0641e3a0 100644
--- a/actionpack/test/dispatch/request/query_string_parsing_test.rb
+++ b/actionpack/test/dispatch/request/query_string_parsing_test.rb
@@ -89,6 +89,10 @@ class QueryStringParsingTest < ActionDispatch::IntegrationTest
assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]")
end
+ def test_array_parses_without_nil
+ assert_parses({"action" => ['1']}, "action[]=1&action[]")
+ end
+
test "query string with empty key" do
assert_parses(
{ "action" => "create_customer", "full_name" => "David Heinemeier Hansson" },