rpms / rh-ror41-rubygem-actionview

Clone
Source Code
GIT

Blame SOURCES/rubygem-actionview-4.1.14.2-secure_inline_with_params.patch

c7
  1.   8489f98d76b19381721b2068c98ce43689f714e3
  2.   SOURCES
  3.   rubygem-actionview-4.1.14.2-secure_inline_with_params.patch
Blob History Raw
8489f9 
From f8e2fe8810d67adfcef8acd95b0e51a31de16acd Mon Sep 17 00:00:00 2001
8489f9 
From: Arthur Neves <arthurnn@gmail.com>
8489f9 
Date: Wed, 24 Feb 2016 20:29:10 -0500
8489f9 
Subject: [PATCH] Don't allow render(params) on views.
8489f9
8489f9 
If `render(params)` is called in a view it should be protected the same
8489f9 
 way it is in the controllers. We should raise an error if thats happens.
8489f9
8489f9 
Fix CVE-2016-2098.
8489f9 
---
8489f9 
 actionview/lib/action_view/renderer/renderer.rb |  4 ++++
8489f9 
 1 files changed, 4 insertions(+), 0 deletion(-)
8489f9
8489f9 
diff --git a/actionview/lib/action_view/renderer/renderer.rb b/actionview/lib/action_view/renderer/renderer.rb
8489f9 
index 964b183..5ba7b2b 100644
8489f9 
--- a/actionview/lib/action_view/renderer/renderer.rb
8489f9 
+++ b/actionview/lib/action_view/renderer/renderer.rb
8489f9 
@@ -17,6 +17,10 @@ module ActionView
8489f9
8489f9 
     # Main render entry point shared by AV and AC.
8489f9 
     def render(context, options)
8489f9 
+      if options.respond_to?(:permitted?) && !options.permitted?
8489f9 
+        raise ArgumentError, "render parameters are not permitted"
8489f9 
+      end
8489f9 
+
8489f9 
       if options.key?(:partial)
8489f9 
         render_partial(context, options)
8489f9 
       else
8489f9 
--
8489f9 
2.5.4 (Apple Git-61)
8489f9

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation