|
 |
12d00a |
From 5c656a271a890cca4b3d438cc1fc76ff98011cbe Mon Sep 17 00:00:00 2001
|
|
|
12d00a |
From: Aaron Patterson <aaron.patterson@gmail.com>
|
|
|
12d00a |
Date: Wed, 20 Jan 2016 10:39:19 -0800
|
|
|
12d00a |
Subject: [PATCH] allow :file to be outside rails root, but anything else must
|
|
|
12d00a |
be inside the rails view directory
|
|
|
12d00a |
|
|
|
12d00a |
Conflicts:
|
|
|
12d00a |
actionpack/test/controller/render_test.rb
|
|
|
12d00a |
actionview/lib/action_view/template/resolver.rb
|
|
|
12d00a |
|
|
|
12d00a |
CVE-2016-0752
|
|
|
12d00a |
---
|
|
|
12d00a |
actionpack/lib/abstract_controller/rendering.rb | 8 +++++-
|
|
|
12d00a |
actionpack/test/controller/render_test.rb | 31 ++++++++++++++++++++++
|
|
|
12d00a |
actionview/lib/action_view/lookup_context.rb | 4 +++
|
|
|
12d00a |
actionview/lib/action_view/path_set.rb | 26 +++++++++++++-----
|
|
|
12d00a |
.../lib/action_view/renderer/abstract_renderer.rb | 2 +-
|
|
|
12d00a |
.../lib/action_view/renderer/template_renderer.rb | 2 +-
|
|
|
12d00a |
actionview/lib/action_view/template/resolver.rb | 25 ++++++++++++++---
|
|
|
12d00a |
actionview/lib/action_view/testing/resolvers.rb | 4 +--
|
|
|
12d00a |
actionview/test/template/render_test.rb | 7 +++++
|
|
|
12d00a |
9 files changed, 93 insertions(+), 16 deletions(-)
|
|
|
12d00a |
|
|
|
12d00a |
diff --git a/actionview/lib/action_view/lookup_context.rb b/actionview/lib/action_view/lookup_context.rb
|
|
|
12d00a |
index 855fed0..93ef701 100644
|
|
|
12d00a |
--- a/actionview/lib/action_view/lookup_context.rb
|
|
|
12d00a |
+++ b/actionview/lib/action_view/lookup_context.rb
|
|
|
12d00a |
@@ -125,6 +125,10 @@ module ActionView
|
|
|
12d00a |
end
|
|
|
12d00a |
alias :find_template :find
|
|
|
12d00a |
|
|
|
12d00a |
+ def find_file(name, prefixes = [], partial = false, keys = [], options = {})
|
|
|
12d00a |
+ @view_paths.find_file(*args_for_lookup(name, prefixes, partial, keys, options))
|
|
|
12d00a |
+ end
|
|
|
12d00a |
+
|
|
|
12d00a |
def find_all(name, prefixes = [], partial = false, keys = [], options = {})
|
|
|
12d00a |
@view_paths.find_all(*args_for_lookup(name, prefixes, partial, keys, options))
|
|
|
12d00a |
end
|
|
|
12d00a |
diff --git a/actionview/lib/action_view/path_set.rb b/actionview/lib/action_view/path_set.rb
|
|
|
12d00a |
index 91ee2ea..8d21913 100644
|
|
|
12d00a |
--- a/actionview/lib/action_view/path_set.rb
|
|
|
12d00a |
+++ b/actionview/lib/action_view/path_set.rb
|
|
|
12d00a |
@@ -46,23 +46,35 @@ module ActionView #:nodoc:
|
|
|
12d00a |
find_all(*args).first || raise(MissingTemplate.new(self, *args))
|
|
|
12d00a |
end
|
|
|
12d00a |
|
|
|
12d00a |
+ def find_file(path, prefixes = [], *args)
|
|
|
12d00a |
+ _find_all(path, prefixes, args, true).first || raise(MissingTemplate.new(self, path, prefixes, *args))
|
|
|
12d00a |
+ end
|
|
|
12d00a |
+
|
|
|
12d00a |
def find_all(path, prefixes = [], *args)
|
|
|
12d00a |
+ _find_all path, prefixes, args, false
|
|
|
12d00a |
+ end
|
|
|
12d00a |
+
|
|
|
12d00a |
+ def exists?(path, prefixes, *args)
|
|
|
12d00a |
+ find_all(path, prefixes, *args).any?
|
|
|
12d00a |
+ end
|
|
|
12d00a |
+
|
|
|
12d00a |
+ private
|
|
|
12d00a |
+
|
|
|
12d00a |
+ def _find_all(path, prefixes, args, outside_app)
|
|
|
12d00a |
prefixes = [prefixes] if String === prefixes
|
|
|
12d00a |
prefixes.each do |prefix|
|
|
|
12d00a |
paths.each do |resolver|
|
|
|
12d00a |
- templates = resolver.find_all(path, prefix, *args)
|
|
|
12d00a |
+ if outside_app
|
|
|
12d00a |
+ templates = resolver.find_all_anywhere(path, prefix, *args)
|
|
|
12d00a |
+ else
|
|
|
12d00a |
+ templates = resolver.find_all(path, prefix, *args)
|
|
|
12d00a |
+ end
|
|
|
12d00a |
return templates unless templates.empty?
|
|
|
12d00a |
end
|
|
|
12d00a |
end
|
|
|
12d00a |
[]
|
|
|
12d00a |
end
|
|
|
12d00a |
|
|
|
12d00a |
- def exists?(path, prefixes, *args)
|
|
|
12d00a |
- find_all(path, prefixes, *args).any?
|
|
|
12d00a |
- end
|
|
|
12d00a |
-
|
|
|
12d00a |
- private
|
|
|
12d00a |
-
|
|
|
12d00a |
def typecast(paths)
|
|
|
12d00a |
paths.map do |path|
|
|
|
12d00a |
case path
|
|
|
12d00a |
diff --git a/actionview/lib/action_view/renderer/abstract_renderer.rb b/actionview/lib/action_view/renderer/abstract_renderer.rb
|
|
|
12d00a |
index 73c19a0..8457008 100644
|
|
|
12d00a |
--- a/actionview/lib/action_view/renderer/abstract_renderer.rb
|
|
|
12d00a |
+++ b/actionview/lib/action_view/renderer/abstract_renderer.rb
|
|
|
12d00a |
@@ -15,7 +15,7 @@ module ActionView
|
|
|
12d00a |
# that new object is called in turn. This abstracts the setup and rendering
|
|
|
12d00a |
# into a separate classes for partials and templates.
|
|
|
12d00a |
class AbstractRenderer #:nodoc:
|
|
|
12d00a |
- delegate :find_template, :template_exists?, :with_fallbacks, :with_layout_format, :formats, :to => :@lookup_context
|
|
|
12d00a |
+ delegate :find_template, :find_file, :template_exists?, :with_fallbacks, :with_layout_format, :formats, :to => :@lookup_context
|
|
|
12d00a |
|
|
|
12d00a |
def initialize(lookup_context)
|
|
|
12d00a |
@lookup_context = lookup_context
|
|
|
12d00a |
diff --git a/actionview/lib/action_view/renderer/template_renderer.rb b/actionview/lib/action_view/renderer/template_renderer.rb
|
|
|
12d00a |
index be17097..66b611d 100644
|
|
|
12d00a |
--- a/actionview/lib/action_view/renderer/template_renderer.rb
|
|
|
12d00a |
+++ b/actionview/lib/action_view/renderer/template_renderer.rb
|
|
|
12d00a |
@@ -30,7 +30,7 @@ module ActionView
|
|
|
12d00a |
elsif options.key?(:html)
|
|
|
12d00a |
Template::HTML.new(options[:html], formats.first)
|
|
|
12d00a |
elsif options.key?(:file)
|
|
|
12d00a |
- with_fallbacks { find_template(options[:file], nil, false, keys, @details) }
|
|
|
12d00a |
+ with_fallbacks { find_file(options[:file], nil, false, keys, @details) }
|
|
|
12d00a |
elsif options.key?(:inline)
|
|
|
12d00a |
handler = Template.handler_for_extension(options[:type] || "erb")
|
|
|
12d00a |
Template.new(options[:inline], "inline template", handler, :locals => keys)
|
|
|
12d00a |
diff --git a/actionview/lib/action_view/template/resolver.rb b/actionview/lib/action_view/template/resolver.rb
|
|
|
12d00a |
index f1bb47a..8d8a37e 100644
|
|
|
12d00a |
--- a/actionview/lib/action_view/template/resolver.rb
|
|
|
12d00a |
+++ b/actionview/lib/action_view/template/resolver.rb
|
|
|
12d00a |
@@ -112,7 +112,13 @@ module ActionView
|
|
|
12d00a |
# Normalizes the arguments and passes it on to find_templates.
|
|
|
12d00a |
def find_all(name, prefix=nil, partial=false, details={}, key=nil, locals=[])
|
|
|
12d00a |
cached(key, [name, prefix, partial], details, locals) do
|
|
|
12d00a |
- find_templates(name, prefix, partial, details)
|
|
|
12d00a |
+ find_templates(name, prefix, partial, details, false)
|
|
|
12d00a |
+ end
|
|
|
12d00a |
+ end
|
|
|
12d00a |
+
|
|
|
12d00a |
+ def find_all_anywhere(name, prefix, partial=false, details={}, key=nil, locals=[])
|
|
|
12d00a |
+ cached(key, [name, prefix, partial], details, locals) do
|
|
|
12d00a |
+ find_templates(name, prefix, partial, details, true)
|
|
|
12d00a |
end
|
|
|
12d00a |
end
|
|
|
12d00a |
|
|
|
12d00a |
@@ -173,15 +179,16 @@ module ActionView
|
|
|
12d00a |
|
|
|
12d00a |
private
|
|
|
12d00a |
|
|
|
12d00a |
- def find_templates(name, prefix, partial, details)
|
|
|
12d00a |
+ def find_templates(name, prefix, partial, details, outside_app_allowed = false)
|
|
|
12d00a |
path = Path.build(name, prefix, partial)
|
|
|
12d00a |
- query(path, details, details[:formats])
|
|
|
12d00a |
+ query(path, details, details[:formats], outside_app_allowed)
|
|
|
12d00a |
end
|
|
|
12d00a |
|
|
|
12d00a |
- def query(path, details, formats)
|
|
|
12d00a |
+ def query(path, details, formats, outside_app_allowed)
|
|
|
12d00a |
query = build_query(path, details)
|
|
|
12d00a |
|
|
|
12d00a |
template_paths = find_template_paths query
|
|
|
12d00a |
+ template_paths = reject_files_external_to_app(template_paths) unless outside_app_allowed
|
|
|
12d00a |
|
|
|
12d00a |
template_paths.map { |template|
|
|
|
12d00a |
handler, format, variant = extract_handler_and_format_and_variant(template, formats)
|
|
|
12d00a |
@@ -196,6 +203,10 @@ module ActionView
|
|
|
12d00a |
}
|
|
|
12d00a |
end
|
|
|
12d00a |
|
|
|
12d00a |
+ def reject_files_external_to_app(files)
|
|
|
12d00a |
+ files.reject { |filename| !inside_path?(@path, filename) }
|
|
|
12d00a |
+ end
|
|
|
12d00a |
+
|
|
|
12d00a |
if RUBY_VERSION >= '2.2.0'
|
|
|
12d00a |
def find_template_paths(query)
|
|
|
12d00a |
Dir[query].reject { |filename|
|
|
|
12d00a |
@@ -216,6 +227,12 @@ module ActionView
|
|
|
12d00a |
end
|
|
|
12d00a |
end
|
|
|
12d00a |
|
|
|
12d00a |
+ def inside_path?(path, filename)
|
|
|
12d00a |
+ filename = File.expand_path(filename)
|
|
|
12d00a |
+ path = File.join(path, '')
|
|
|
12d00a |
+ filename.start_with?(path)
|
|
|
12d00a |
+ end
|
|
|
12d00a |
+
|
|
|
12d00a |
# Helper for building query glob string based on resolver's pattern.
|
|
|
12d00a |
def build_query(path, details)
|
|
|
12d00a |
query = @pattern.dup
|
|
|
12d00a |
diff --git a/actionview/lib/action_view/testing/resolvers.rb b/actionview/lib/action_view/testing/resolvers.rb
|
|
|
12d00a |
index dfb7d46..e88f425 100644
|
|
|
12d00a |
--- a/actionview/lib/action_view/testing/resolvers.rb
|
|
|
12d00a |
+++ b/actionview/lib/action_view/testing/resolvers.rb
|
|
|
12d00a |
@@ -19,7 +19,7 @@ module ActionView #:nodoc:
|
|
|
12d00a |
|
|
|
12d00a |
private
|
|
|
12d00a |
|
|
|
12d00a |
- def query(path, exts, formats)
|
|
|
12d00a |
+ def query(path, exts, formats, _)
|
|
|
12d00a |
query = ""
|
|
|
12d00a |
EXTENSIONS.each_key do |ext|
|
|
|
12d00a |
query << '(' << exts[ext].map {|e| e && Regexp.escape(".#{e}") }.join('|') << '|)'
|
|
|
12d00a |
@@ -44,7 +44,7 @@ module ActionView #:nodoc:
|
|
|
12d00a |
end
|
|
|
12d00a |
|
|
|
12d00a |
class NullResolver < PathResolver
|
|
|
12d00a |
- def query(path, exts, formats)
|
|
|
12d00a |
+ def query(path, exts, formats, _)
|
|
|
12d00a |
handler, format, variant = extract_handler_and_format_and_variant(path, formats)
|
|
|
12d00a |
[ActionView::Template.new("Template generated by Null Resolver", path, handler, :virtual_path => path, :format => format, :variant => variant)]
|
|
|
12d00a |
end
|
|
|
12d00a |
--
|
|
|
12d00a |
2.2.1
|
|
|
12d00a |
|