From 2ced6f2f8a85957b160710ae5d9fb245a6106550 Mon Sep 17 00:00:00 2001
From: Jeremy Kemper <jeremy@bitsweat.net>
Date: Sat, 5 Jan 2013 17:46:26 -0700
Subject: CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or
 yaml.

---
 actionpack/test/controller/webservice_test.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'actionpack/test/controller')

diff --git a/actionpack/test/controller/webservice_test.rb b/actionpack/test/controller/webservice_test.rb
index c0b9833603..2602540fbe 100644
--- a/actionpack/test/controller/webservice_test.rb
+++ b/actionpack/test/controller/webservice_test.rb
@@ -116,6 +116,19 @@ class WebServiceTest < ActionDispatch::IntegrationTest
     end
   end
 
+  def test_post_xml_using_a_disallowed_type_attribute
+    $stderr = StringIO.new
+    with_test_route_set do
+      post '/', '<foo type="symbol">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+      assert_response 500
+
+      post '/', '<foo type="yaml">value</foo>', 'CONTENT_TYPE' => 'application/xml'
+      assert_response 500
+    end
+  ensure
+    $stderr = STDERR
+  end
+
   def test_register_and_use_yaml
     with_test_route_set do
       with_params_parsers Mime::YAML => Proc.new { |d| YAML.load(d) } do
-- 
cgit v1.2.3