Restrict which local names can be eval'd

[CVE-2020-8163]

Restrict which local names can be eval'd
[CVE-2020-8163]
4c46a15e · Matthew Draper · Aaron Patterson · e06a1e09 · 4c46a15e
隐藏空白更改
内联并排

Showing with 5 addition and 1 deletion

actionview/lib/action_view/template.rb actionview/lib/action_view/template.rb +5 -1

未找到文件。
--- a/actionview/lib/action_view/template.rb
+++ b/actionview/lib/action_view/template.rb
@@ -312,8 +312,12 @@ def handle_render_error(view, e) #:nodoc:
      end

      def locals_code #:nodoc:
+        # Only locals with valid variable names get set directly. Others will
+        # still be available in local_assigns.
+        locals = @locals.to_set - Module::DELEGATION_RESERVED_METHOD_NAMES
+        locals = locals.grep(/\A(?![A-Z0-9])(?:[[:alnum:]_]|[^\0-\177])+\z/)
        # Double assign to suppress the dreaded 'assigned but unused variable' warning
-        @locals.each_with_object('') { |key, code| code << "#{key} = #{key} = local_assigns[:#{key}];" }
+        locals.each_with_object('') { |key, code| code << "#{key} = #{key} = local_assigns[:#{key}];" }
      end

      def method_name #:nodoc: