diff options
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/CHANGELOG.md | 6 | ||||
-rw-r--r-- | actionpack/lib/action_dispatch/http/request.rb | 6 | ||||
-rw-r--r-- | actionpack/lib/action_pack/version.rb | 2 | ||||
-rw-r--r-- | actionpack/test/dispatch/request/query_string_parsing_test.rb | 4 |
4 files changed, 14 insertions, 4 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 75fb902196..4b483b200f 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,4 +1,8 @@ -## Rails 3.2.6 (unreleased) ## +## Rails 3.2.6 (Jun 12, 2012) ## + +* nil is removed from array parameter values + + CVE-2012-2694 * Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers. diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb index adbb5d1346..afc0496ef9 100644 --- a/actionpack/lib/action_dispatch/http/request.rb +++ b/actionpack/lib/action_dispatch/http/request.rb @@ -251,17 +251,19 @@ module ActionDispatch # Remove nils from the params hash def deep_munge(hash) + keys = hash.keys.find_all { |k| hash[k] == [nil] } + keys.each { |k| hash[k] = nil } + hash.each_value do |v| case v when Array v.grep(Hash) { |x| deep_munge(x) } + v.compact! when Hash deep_munge(v) end end - keys = hash.keys.find_all { |k| hash[k] == [nil] } - keys.each { |k| hash[k] = nil } hash end diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index 8df68441c3..58ccf8ebc2 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -2,7 +2,7 @@ module ActionPack module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 5 + TINY = 6 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/actionpack/test/dispatch/request/query_string_parsing_test.rb b/actionpack/test/dispatch/request/query_string_parsing_test.rb index 181f51add5..bc0641e3a0 100644 --- a/actionpack/test/dispatch/request/query_string_parsing_test.rb +++ b/actionpack/test/dispatch/request/query_string_parsing_test.rb @@ -89,6 +89,10 @@ class QueryStringParsingTest < ActionDispatch::IntegrationTest assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]") end + def test_array_parses_without_nil + assert_parses({"action" => ['1']}, "action[]=1&action[]") + end + test "query string with empty key" do assert_parses( { "action" => "create_customer", "full_name" => "David Heinemeier Hansson" }, |