From 5c656a271a890cca4b3d438cc1fc76ff98011cbe Mon Sep 17 00:00:00 2001

From: Aaron Patterson <aaron.patterson@gmail.com>

Date: Wed, 20 Jan 2016 10:39:19 -0800

Subject: [PATCH] allow :file to be outside rails root, but anything else must

 be inside the rails view directory

Conflicts:

	actionpack/test/controller/render_test.rb

	actionview/lib/action_view/template/resolver.rb

CVE-2016-0752

---

 actionpack/lib/abstract_controller/rendering.rb    |  8 +++++-

 actionpack/test/controller/render_test.rb          | 31 ++++++++++++++++++++++

 actionview/lib/action_view/lookup_context.rb       |  4 +++

 actionview/lib/action_view/path_set.rb             | 26 +++++++++++++-----

 .../lib/action_view/renderer/abstract_renderer.rb  |  2 +-

 .../lib/action_view/renderer/template_renderer.rb  |  2 +-

 actionview/lib/action_view/template/resolver.rb    | 25 ++++++++++++++---

 actionview/lib/action_view/testing/resolvers.rb    |  4 +--

 actionview/test/template/render_test.rb            |  7 +++++

 9 files changed, 93 insertions(+), 16 deletions(-)

diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb

index 1316f85..caf6d13 100644

--- a/actionview/test/template/render_test.rb

+++ b/actionview/test/template/render_test.rb

@@ -142,6 +142,13 @@ module RenderTestCases

     assert_equal "only partial", @view.render("test/partial_only")

   end

+  def test_render_outside_path

+    assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))

+    assert_raises ActionView::MissingTemplate do

+      @view.render(:template => "../\\../test/abstract_unit.rb")

+    end

+  end

+

   def test_render_partial

     assert_equal "only partial", @view.render(:partial => "test/partial_only")

   end

-- 

2.2.1