From d5cd97baa44fa66dc681041a213092b45c57c32f Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Fri, 4 Jan 2013 12:02:22 -0800
Subject: * Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
 * dealing with empty hashes. Thanks Damien Mathieu

---
 .../test/dispatch/request/xml_params_parsing_test.rb    | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'actionpack/test/dispatch/request/xml_params_parsing_test.rb')

diff --git a/actionpack/test/dispatch/request/xml_params_parsing_test.rb b/actionpack/test/dispatch/request/xml_params_parsing_test.rb
index 0984f00066..cadafa7f38 100644
--- a/actionpack/test/dispatch/request/xml_params_parsing_test.rb
+++ b/actionpack/test/dispatch/request/xml_params_parsing_test.rb
@@ -30,6 +30,23 @@ class XmlParamsParsingTest < ActionDispatch::IntegrationTest
     assert_equal "<ok>bar</ok>", resp.body
   end
 
+  def assert_parses(expected, xml)
+    with_test_routing do
+      post "/parse", xml, default_headers
+      assert_response :ok
+      assert_equal(expected, TestController.last_request_parameters)
+    end
+  end
+
+  test "nils are stripped from collections" do
+    assert_parses(
+      {"hash" => { "person" => nil} },
+      "<hash><person type=\"array\"><person nil=\"true\"/></person></hash>")
+    assert_parses(
+      {"hash" => { "person" => ['foo']} },
+      "<hash><person type=\"array\"><person>foo</person><person nil=\"true\"/></person>\n</hash>")
+  end
+
   test "parses hash params" do
     with_test_routing do
       xml = "<person><name>David</name></person>"
-- 
cgit v1.2.3