From 060c91cd59ab86583a8f2f52142960d3433f62f5 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Wed, 30 May 2012 15:13:03 -0700
Subject: Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting
 this!

CVE-2012-2660
---
 actionpack/lib/action_dispatch/http/request.rb | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
index aa5ba3e8a5..6757a53bd1 100644
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
@@ -263,6 +263,28 @@ module ActionDispatch
       LOCALHOST =~ remote_addr && LOCALHOST =~ remote_ip
     end
 
+    protected
+
+    # Remove nils from the params hash
+    def deep_munge(hash)
+      hash.each_value do |v|
+        case v
+        when Array
+          v.grep(Hash) { |x| deep_munge(x) }
+        when Hash
+          deep_munge(v)
+        end
+      end
+
+      keys = hash.keys.find_all { |k| hash[k] == [nil] }
+      keys.each { |k| hash[k] = nil }
+      hash
+    end
+
+    def parse_query(qs)
+      deep_munge(super)
+    end
+
     private
 
     def check_method(name)
-- 
cgit v1.2.3