rpms / rh-ror41-rubygem-actionview

Clone
Source Code
GIT

Files

  1.   8489f98d76b19381721b2068c98ce43689f714e3
  2.   SOURCES
  3.   rubygem-actionview-4.1.14.2-secure_inline_with_params.patch
Blob Blame History Raw 
From f8e2fe8810d67adfcef8acd95b0e51a31de16acd Mon Sep 17 00:00:00 2001
From: Arthur Neves <arthurnn@gmail.com>
Date: Wed, 24 Feb 2016 20:29:10 -0500
Subject: [PATCH] Don't allow render(params) on views.

If `render(params)` is called in a view it should be protected the same
 way it is in the controllers. We should raise an error if thats happens.

Fix CVE-2016-2098.
---
 actionview/lib/action_view/renderer/renderer.rb |  4 ++++
 1 files changed, 4 insertions(+), 0 deletion(-)

diff --git a/actionview/lib/action_view/renderer/renderer.rb b/actionview/lib/action_view/renderer/renderer.rb
index 964b183..5ba7b2b 100644
--- a/actionview/lib/action_view/renderer/renderer.rb
+++ b/actionview/lib/action_view/renderer/renderer.rb
@@ -17,6 +17,10 @@ module ActionView
 
     # Main render entry point shared by AV and AC.
     def render(context, options)
+      if options.respond_to?(:permitted?) && !options.permitted?
+        raise ArgumentError, "render parameters are not permitted"
+      end
+
       if options.key?(:partial)
         render_partial(context, options)
       else
-- 
2.5.4 (Apple Git-61)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation