From 1a65dd1c21cb7a70db054793deeb19dea1b357cf Mon Sep 17 00:00:00 2001

From: Aaron Patterson <aaron.patterson@gmail.com>

Date: Tue, 26 Jan 2016 17:06:31 -0800

Subject: [PATCH 1/2] Change render "foo" to render a template and not a file.

Previously, calling `render "foo/bar"` in a controller action is

equivalent to `render file: "foo/bar"`. This has been changed to

mean `render template: "foo/bar"` instead. If you need to render a

file, please change your code to use the explicit form

(`render file: "foo/bar"`) instead.

Test that we are not allowing you to grab a file with an absolute path

outside of your application directory. This is dangerous because it

could be used to retrieve files from the server like `/etc/passwd`.

Fix CVE-2016-2097.

---

 .../test/actionpack/controller/render_test.rb      | 23 ++++-------------

 1 files changed, 5 insertions(+), 18 deletions(-)

diff --git a/actionview/test/actionpack/controller/render_test.rb b/actionview/test/actionpack/controller/render_test.rb

index 45b8049..a9991fe 100644

--- a/actionview/test/actionpack/controller/render_test.rb

+++ b/actionview/test/actionpack/controller/render_test.rb

@@ -91,17 +91,17 @@ class TestController < ApplicationController

   # :ported:

   def render_hello_world

-    render :template => "test/hello_world"

+    render "test/hello_world"

   end

   def render_hello_world_with_last_modified_set

     response.last_modified = Date.new(2008, 10, 10).to_time

-    render :template => "test/hello_world"

+    render "test/hello_world"

   end

   # :ported: compatibility

   def render_hello_world_with_forward_slash

-    render :template => "/test/hello_world"

+    render "/test/hello_world"

   end

   # :ported:

@@ -111,7 +111,7 @@ class TestController < ApplicationController

   # :deprecated:

   def render_template_in_top_directory_with_slash

-    render :template => '/shared'

+    render '/shared'

   end

   # :ported:

@@ -160,13 +160,6 @@ class TestController < ApplicationController

   end

   # :ported:

-  def render_file_as_string_with_instance_variables

-    @secret = 'in the sauce'

-    path = File.expand_path(File.join(File.dirname(__FILE__), '../../fixtures/test/render_file_with_ivar'))

-    render path

-  end

-

-  # :ported:

   def render_file_not_using_full_path

     @secret = 'in the sauce'

     render :file => 'test/render_file_with_ivar'

@@ -194,7 +187,7 @@ class TestController < ApplicationController

   def render_file_as_string_with_locals

     path = File.expand_path(File.join(File.dirname(__FILE__), '../../fixtures/test/render_file_with_locals'))

-    render path, :locals => {:secret => 'in the sauce'}

+    render file: path, :locals => {:secret => 'in the sauce'}

   end

   def accessing_request_in_template

@@ -781,12 +774,6 @@ class RenderTest < ActionController::TestCase

   end

   # :ported:

-  def test_render_file_as_string_with_instance_variables

-    get :render_file_as_string_with_instance_variables

-    assert_equal "The secret is in the sauce\n", @response.body

-  end

-

-  # :ported:

   def test_render_file_not_using_full_path

     get :render_file_not_using_full_path

     assert_equal "The secret is in the sauce\n", @response.body

-- 

2.7.0