From d5a4095ca5725d5eebcce153d7d0738375146cef Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Sat, 30 Nov 2013 16:45:23 +1300 Subject: Deep Munge the parameters for GET and POST The previous implementation of this functionality could be accidentally subverted by instantiating a raw Rack::Request before the first Rails::Request was constructed. Fixes CVE-2013-6417 Conflicts: actionpack/lib/action_dispatch/http/request.rb --- actionpack/lib/action_dispatch/http/request.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb index 31155732d2..0f92b82b33 100644 --- a/actionpack/lib/action_dispatch/http/request.rb +++ b/actionpack/lib/action_dispatch/http/request.rb @@ -228,13 +228,13 @@ module ActionDispatch # Override Rack's GET method to support indifferent access def GET - @env["action_dispatch.request.query_parameters"] ||= (normalize_parameters(super) || {}) + @env["action_dispatch.request.query_parameters"] ||= deep_munge(normalize_parameters(super) || {}) end alias :query_parameters :GET # Override Rack's POST method to support indifferent access def POST - @env["action_dispatch.request.request_parameters"] ||= (normalize_parameters(super) || {}) + @env["action_dispatch.request.request_parameters"] ||= deep_munge(normalize_parameters(super) || {}) end alias :request_parameters :POST -- cgit v1.2.3