From 4752e7d83794ecf23c6d0367f0bcad8eee33da59 Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Tue, 7 Jul 2015 13:47:16 -0400
Subject: Prevent ActionController::Parameters from being passed to url_for
 directly

---
 actionpack/lib/action_dispatch/routing/url_for.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib/action_dispatch')

diff --git a/actionpack/lib/action_dispatch/routing/url_for.rb b/actionpack/lib/action_dispatch/routing/url_for.rb
index b6c031dcf4..f91679593e 100644
--- a/actionpack/lib/action_dispatch/routing/url_for.rb
+++ b/actionpack/lib/action_dispatch/routing/url_for.rb
@@ -172,8 +172,11 @@ module ActionDispatch
           _routes.url_for(options.symbolize_keys.reverse_merge!(url_options),
                          route_name)
         when ActionController::Parameters
+          unless options.permitted?
+            raise ArgumentError.new("Generating an URL from non sanitized request parameters is insecure!")
+          end
           route_name = options.delete :use_route
-          _routes.url_for(options.to_unsafe_h.symbolize_keys.
+          _routes.url_for(options.to_h.symbolize_keys.
                           reverse_merge!(url_options), route_name)
         when String
           options
-- 
cgit v1.2.3