From 4e9dd5378bd5bfaa095a96068c7d1b7c4f47e1b0 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Sat, 30 Nov 2013 16:45:23 +1300
Subject: Deep Munge the parameters for GET and POST

The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.

Fixes CVE-2013-6417
---
 actionpack/lib/action_dispatch/http/request.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib/action_dispatch/http/request.rb')

diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
index 99b81c898f..071ff0b63e 100644
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
@@ -271,7 +271,7 @@ module ActionDispatch
 
     # Override Rack's GET method to support indifferent access
     def GET
-      @env["action_dispatch.request.query_parameters"] ||= (normalize_encode_params(super) || {})
+      @env["action_dispatch.request.query_parameters"] ||= deep_munge((normalize_encode_params(super) || {}))
     rescue TypeError => e
       raise ActionController::BadRequest.new(:query, e)
     end
@@ -279,7 +279,7 @@ module ActionDispatch
 
     # Override Rack's POST method to support indifferent access
     def POST
-      @env["action_dispatch.request.request_parameters"] ||= (normalize_encode_params(super) || {})
+      @env["action_dispatch.request.request_parameters"] ||= deep_munge((normalize_encode_params(super) || {}))
     rescue TypeError => e
       raise ActionController::BadRequest.new(:request, e)
     end
-- 
cgit v1.2.3