Skip to content

R
rails

张重言 / rails

通知 1
Star 0
Fork 0
R
rails

体验新版 GitCode,发现更多精彩内容 >>

提交 92f9ff8c 编写于 作者: X Xavier Noria
浏览文件
操作

converts hashes in arrays of unfiltered params to unpermitted params [fixes #13382]

上级 fbb79b51
隐藏空白更改
内联 并排
Showing with 23 addition and 3 deletion
actionpack/CHANGELOG.md
浏览文件 @ 92f9ff8c
* Converts hashes in arrays of unfiltered params to unpermitted params.
Fixes #13382
*Xavier Noria*
* New config option to opt out of params "deep munging" that was used to
address security vulnerability CVE-2013-0155. In your app config:
......
actionpack/lib/action_controller/metal/strong_parameters.rb
浏览文件 @ 92f9ff8c
......@@ -330,11 +330,18 @@ def permitted=(new_permitted)
private
def convert_hashes_to_parameters(key, value)
if value.is_a?(Parameters) || !value.is_a?(Hash)
converted = convert_value_to_parameters(value)
self[key] = converted unless converted.equal?(value)
converted
end
def convert_value_to_parameters(value)
if value.is_a?(Array)
value.map { |_| convert_value_to_parameters(_) }
elsif value.is_a?(Parameters) || !value.is_a?(Hash)
value
else
# Convert to Parameters on first access
self[key] = self.class.new(value)
self.class.new(value)
end
end
......
actionpack/test/controller/parameters/parameters_permit_test.rb
浏览文件 @ 92f9ff8c
......@@ -153,6 +153,13 @@ def assert_filtered_out(params, key)
assert_equal nil, params[:foo]
end
test 'hashes in array values get wrapped' do
params = ActionController::Parameters.new(foo: [{}, {}])
params[:foo].each do |hash|
assert !hash.permitted?
end
end
test "fetch doesnt raise ParameterMissing exception if there is a default" do
assert_equal "monkey", @params.fetch(:foo, "monkey")
assert_equal "monkey", @params.fetch(:foo) { "monkey" }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册