From 5c656a271a890cca4b3d438cc1fc76ff98011cbe Mon Sep 17 00:00:00 2001

From: Aaron Patterson <aaron.patterson@gmail.com>

Date: Wed, 20 Jan 2016 10:39:19 -0800

Subject: [PATCH] allow :file to be outside rails root, but anything else must

 be inside the rails view directory

Conflicts:

	actionpack/test/controller/render_test.rb

	actionview/lib/action_view/template/resolver.rb

CVE-2016-0752

---

 actionpack/lib/abstract_controller/rendering.rb    |  8 +++++-

 actionpack/test/controller/render_test.rb          | 31 ++++++++++++++++++++++

 actionview/lib/action_view/lookup_context.rb       |  4 +++

 actionview/lib/action_view/path_set.rb             | 26 +++++++++++++-----

 .../lib/action_view/renderer/abstract_renderer.rb  |  2 +-

 .../lib/action_view/renderer/template_renderer.rb  |  2 +-

 actionview/lib/action_view/template/resolver.rb    | 25 ++++++++++++++---

 actionview/lib/action_view/testing/resolvers.rb    |  4 +--

 actionview/test/template/render_test.rb            |  7 +++++

 9 files changed, 93 insertions(+), 16 deletions(-)

diff --git a/actionpack/lib/abstract_controller/rendering.rb b/actionpack/lib/abstract_controller/rendering.rb

index 9d10140..e80d97f 100644

--- a/actionpack/lib/abstract_controller/rendering.rb

+++ b/actionpack/lib/abstract_controller/rendering.rb

@@ -77,7 +77,13 @@ module AbstractController

     # render "foo/bar" to render :file => "foo/bar".

     # :api: plugin

     def _normalize_args(action=nil, options={})

-      if action.is_a? Hash

+      case action

+      when ActionController::Parameters

+        unless action.permitted?

+          raise ArgumentError, "render parameters are not permitted"

+        end

+        action

+      when Hash

         action

       else

         options

diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb

index 26806fb..17a019e 100644

--- a/actionpack/test/controller/render_test.rb

+++ b/actionpack/test/controller/render_test.rb

@@ -52,6 +52,16 @@ class TestController < ActionController::Base

     end

   end

+  def dynamic_render

+    render params[:id] # => String, AC:Params

+  end

+

+  def dynamic_render_with_file

+    # This is extremely bad, but should be possible to do.

+    file = params[:id] # => String, AC:Params

+    render file: file

+  end

+

   def conditional_hello_with_public_header

     if stale?(:last_modified => Time.now.utc.beginning_of_day, :etag => [:foo, 123], :public => true)

       render :action => 'hello_world'

@@ -251,6 +261,20 @@ end

 class ExpiresInRenderTest < ActionController::TestCase

   tests TestController

+  def test_dynamic_render_with_file

+    # This is extremely bad, but should be possible to do.

+    assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))

+    response = get :dynamic_render_with_file, { id: '../\\../test/abstract_unit.rb' }

+    assert_equal File.read(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')),

+      response.body

+  end

+

+  def test_dynamic_render_file_hash

+    assert_raises ArgumentError do

+      get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } }

+    end

+  end

+

   def test_expires_in_header

     get :conditional_hello_with_expires_in

     assert_equal "max-age=60, private", @response.headers["Cache-Control"]

-- 

2.2.1