|
 |
b2a418 |
From f8e2fe8810d67adfcef8acd95b0e51a31de16acd Mon Sep 17 00:00:00 2001
|
|
|
b2a418 |
From: Arthur Neves <arthurnn@gmail.com>
|
|
|
b2a418 |
Date: Wed, 24 Feb 2016 20:29:10 -0500
|
|
|
b2a418 |
Subject: [PATCH] Don't allow render(params) on views.
|
|
|
b2a418 |
|
|
|
b2a418 |
If `render(params)` is called in a view it should be protected the same
|
|
|
b2a418 |
way it is in the controllers. We should raise an error if thats happens.
|
|
|
b2a418 |
|
|
|
b2a418 |
Fix CVE-2016-2098.
|
|
|
b2a418 |
---
|
|
|
b2a418 |
actionpack/test/controller/render_test.rb | 24 +++++++++++++++++++++++-
|
|
|
b2a418 |
1 files changed, 23 insertions(+), 1 deletion(-)
|
|
|
b2a418 |
|
|
|
b2a418 |
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
|
|
|
b2a418 |
index 0fcbb86..7bdf65c 100644
|
|
|
b2a418 |
--- a/actionpack/test/controller/render_test.rb
|
|
|
b2a418 |
+++ b/actionpack/test/controller/render_test.rb
|
|
|
b2a418 |
@@ -258,6 +258,16 @@ class MetalTestController < ActionController::Metal
|
|
|
b2a418 |
end
|
|
|
b2a418 |
end
|
|
|
b2a418 |
|
|
|
b2a418 |
+class MetalWithoutAVTestController < ActionController::Metal
|
|
|
b2a418 |
+ include AbstractController::Rendering
|
|
|
b2a418 |
+ include ActionController::Rendering
|
|
|
b2a418 |
+ include ActionController::StrongParameters
|
|
|
b2a418 |
+
|
|
|
b2a418 |
+ def dynamic_params_render
|
|
|
b2a418 |
+ render params
|
|
|
b2a418 |
+ end
|
|
|
b2a418 |
+end
|
|
|
b2a418 |
+
|
|
|
b2a418 |
class ExpiresInRenderTest < ActionController::TestCase
|
|
|
b2a418 |
tests TestController
|
|
|
b2a418 |
|
|
|
b2a418 |
@@ -287,9 +297,10 @@ class ExpiresInRenderTest < ActionController::TestCase
|
|
|
b2a418 |
end
|
|
|
b2a418 |
|
|
|
b2a418 |
def test_dynamic_render_file_hash
|
|
|
b2a418 |
- assert_raises ArgumentError do
|
|
|
b2a418 |
+ e = assert_raises ArgumentError do
|
|
|
b2a418 |
get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } }
|
|
|
b2a418 |
end
|
|
|
b2a418 |
+ assert_equal "render parameters are not permitted", e.message
|
|
|
b2a418 |
end
|
|
|
b2a418 |
|
|
|
b2a418 |
def test_expires_in_header
|
|
|
b2a418 |
@@ -466,6 +477,17 @@ class MetalRenderTest < ActionController::TestCase
|
|
|
b2a418 |
end
|
|
|
b2a418 |
end
|
|
|
b2a418 |
|
|
|
b2a418 |
+class MetalRenderWithoutAVTest < ActionController::TestCase
|
|
|
b2a418 |
+ tests MetalWithoutAVTestController
|
|
|
b2a418 |
+
|
|
|
b2a418 |
+ def test_dynamic_params_render
|
|
|
b2a418 |
+ e = assert_raises ArgumentError do
|
|
|
b2a418 |
+ get :dynamic_params_render, { inline: '<%= RUBY_VERSION %>' }
|
|
|
b2a418 |
+ end
|
|
|
b2a418 |
+ assert_equal "render parameters are not permitted", e.message
|
|
|
b2a418 |
+ end
|
|
|
b2a418 |
+end
|
|
|
b2a418 |
+
|
|
|
b2a418 |
class HeadRenderTest < ActionController::TestCase
|
|
|
b2a418 |
tests TestController
|
|
|
b2a418 |
|
|
|
b2a418 |
--
|
|
|
b2a418 |
2.5.4 (Apple Git-61)
|
|
|
b2a418 |
|