From f8e2fe8810d67adfcef8acd95b0e51a31de16acd Mon Sep 17 00:00:00 2001

From: Arthur Neves <arthurnn@gmail.com>

Date: Wed, 24 Feb 2016 20:29:10 -0500

Subject: [PATCH] Don't allow render(params) on views.

If `render(params)` is called in a view it should be protected the same

 way it is in the controllers. We should raise an error if thats happens.

Fix CVE-2016-2098.

---

 actionview/test/template/render_test.rb         | 19 +++++++++++++++++++

 1 files changed, 19 insertions(+), 0 deletion(-)

diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb

index caf6d13..b3de94f 100644

--- a/actionview/test/template/render_test.rb

+++ b/actionview/test/template/render_test.rb

@@ -149,6 +149,25 @@ module RenderTestCases

     end

   end

+  def test_render_with_strong_parameters

+    params = { :inline => '<%= RUBY_VERSION %>' }

+    def params.permitted?

+      false

+    end

+    e = assert_raises ArgumentError do

+      @view.render(params)

+    end

+    assert_equal "render parameters are not permitted", e.message

+  end

+

+  def test_render_with_permitted_strong_parameters

+    params = { inline: "<%= 'hello' %>" }

+    def params.permitted?

+      true

+    end

+    assert_equal 'hello', @view.render(params)

+  end

+

   def test_render_partial

     assert_equal "only partial", @view.render(:partial => "test/partial_only")

   end

-- 

2.5.4 (Apple Git-61)