From 5c656a271a890cca4b3d438cc1fc76ff98011cbe Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Wed, 20 Jan 2016 10:39:19 -0800 Subject: [PATCH] allow :file to be outside rails root, but anything else must be inside the rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752 --- actionpack/lib/abstract_controller/rendering.rb | 8 +++++- actionpack/test/controller/render_test.rb | 31 ++++++++++++++++++++++ actionview/lib/action_view/lookup_context.rb | 4 +++ actionview/lib/action_view/path_set.rb | 26 +++++++++++++----- .../lib/action_view/renderer/abstract_renderer.rb | 2 +- .../lib/action_view/renderer/template_renderer.rb | 2 +- actionview/lib/action_view/template/resolver.rb | 25 ++++++++++++++--- actionview/lib/action_view/testing/resolvers.rb | 4 +-- actionview/test/template/render_test.rb | 7 +++++ 9 files changed, 93 insertions(+), 16 deletions(-) diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb index 1316f85..caf6d13 100644 --- a/actionview/test/template/render_test.rb +++ b/actionview/test/template/render_test.rb @@ -142,6 +142,13 @@ module RenderTestCases assert_equal "only partial", @view.render("test/partial_only") end + def test_render_outside_path + assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')) + assert_raises ActionView::MissingTemplate do + @view.render(:template => "../\\../test/abstract_unit.rb") + end + end + def test_render_partial assert_equal "only partial", @view.render(:partial => "test/partial_only") end -- 2.2.1