From 5c656a271a890cca4b3d438cc1fc76ff98011cbe Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Wed, 20 Jan 2016 10:39:19 -0800
Subject: [PATCH] allow :file to be outside rails root, but anything else must
be inside the rails view directory
Conflicts:
actionpack/test/controller/render_test.rb
actionview/lib/action_view/template/resolver.rb
CVE-2016-0752
---
actionpack/lib/abstract_controller/rendering.rb | 8 +++++-
actionpack/test/controller/render_test.rb | 31 ++++++++++++++++++++++
actionview/lib/action_view/lookup_context.rb | 4 +++
actionview/lib/action_view/path_set.rb | 26 +++++++++++++-----
.../lib/action_view/renderer/abstract_renderer.rb | 2 +-
.../lib/action_view/renderer/template_renderer.rb | 2 +-
actionview/lib/action_view/template/resolver.rb | 25 ++++++++++++++---
actionview/lib/action_view/testing/resolvers.rb | 4 +--
actionview/test/template/render_test.rb | 7 +++++
9 files changed, 93 insertions(+), 16 deletions(-)
diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb
index 1316f85..caf6d13 100644
--- a/actionview/test/template/render_test.rb
+++ b/actionview/test/template/render_test.rb
@@ -142,6 +142,13 @@ module RenderTestCases
assert_equal "only partial", @view.render("test/partial_only")
end
+ def test_render_outside_path
+ assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
+ assert_raises ActionView::MissingTemplate do
+ @view.render(:template => "../\\../test/abstract_unit.rb")
+ end
+ end
+
def test_render_partial
assert_equal "only partial", @view.render(:partial => "test/partial_only")
end
--
2.2.1