From f8e2fe8810d67adfcef8acd95b0e51a31de16acd Mon Sep 17 00:00:00 2001 From: Arthur Neves Date: Wed, 24 Feb 2016 20:29:10 -0500 Subject: [PATCH] Don't allow render(params) on views. If `render(params)` is called in a view it should be protected the same way it is in the controllers. We should raise an error if thats happens. Fix CVE-2016-2098. --- actionview/lib/action_view/renderer/renderer.rb | 4 ++++ 1 files changed, 4 insertions(+), 0 deletion(-) diff --git a/actionview/lib/action_view/renderer/renderer.rb b/actionview/lib/action_view/renderer/renderer.rb index 964b183..5ba7b2b 100644 --- a/actionview/lib/action_view/renderer/renderer.rb +++ b/actionview/lib/action_view/renderer/renderer.rb @@ -17,6 +17,10 @@ module ActionView # Main render entry point shared by AV and AC. def render(context, options) + if options.respond_to?(:permitted?) && !options.permitted? + raise ArgumentError, "render parameters are not permitted" + end + if options.key?(:partial) render_partial(context, options) else -- 2.5.4 (Apple Git-61)