From b7758b40fc035a47f6843158155606d455314c42 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Wed, 20 Jan 2016 10:39:19 -0800
Subject: allow :file to be outside rails root, but anything else must be
 inside the rails view directory

CVE-2016-0752
---
 actionview/test/template/render_test.rb | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'actionview/test')

diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb
index 994fd44c52..df27b52197 100644
--- a/actionview/test/template/render_test.rb
+++ b/actionview/test/template/render_test.rb
@@ -148,6 +148,13 @@ module RenderTestCases
     assert_equal "only partial", @view.render("test/partial_only")
   end
 
+  def test_render_outside_path
+    assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
+    assert_raises ActionView::MissingTemplate do
+      @view.render(:template => "../\\../test/abstract_unit.rb")
+    end
+  end
+
   def test_render_partial
     assert_equal "only partial", @view.render(:partial => "test/partial_only")
   end
-- 
cgit v1.2.3