From 7171111d3af10c80e3b38658d4fa0aa36858677f Mon Sep 17 00:00:00 2001
From: Doug Cole <doug@estately.com>
Date: Sat, 26 Oct 2013 19:22:31 -0700
Subject: don't mutate hash with fetch

---
 actionpack/lib/action_controller/metal/strong_parameters.rb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib/action_controller/metal')

diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index 66403d533c..fcc76f6225 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -284,7 +284,14 @@ module ActionController
     #   params.fetch(:none, 'Francesco')    # => "Francesco"
     #   params.fetch(:none) { 'Francesco' } # => "Francesco"
     def fetch(key, *args)
-      convert_hashes_to_parameters(key, super)
+      value = super
+      # Don't rely on +convert_hashes_to_parameters+
+      # so as to not mutate via a +fetch+
+      if value.is_a?(Hash)
+        value = self.class.new(value)
+        value.permit! if permitted?
+      end
+      value
     rescue KeyError
       raise ActionController::ParameterMissing.new(key)
     end
-- 
cgit v1.2.3