Merge pull request #30 from github/CVE-2013-6417

CVE-2013-6417

Merge pull request #30 from github/CVE-2013-6417
CVE-2013-6417
d13866d7 · Ted Nyman · dfa2f469 · 379dd907 · d13866d7
隐藏空白更改
内联并排

Showing with 18 addition and 2 deletion

actionpack/lib/action_controller/request.rb actionpack/lib/action_controller/request.rb +18 -2

未找到文件。
--- a/actionpack/lib/action_controller/request.rb
+++ b/actionpack/lib/action_controller/request.rb
@@ -423,13 +423,13 @@ def form_data?

    # Override Rack's GET method to support indifferent access
    def GET
-      @env["action_controller.request.query_parameters"] ||= normalize_parameters(super)
+      @env["action_controller.request.query_parameters"] ||= deep_munge(normalize_parameters(super) || {})
    end
    alias_method :query_parameters, :GET

    # Override Rack's POST method to support indifferent access
    def POST
-      @env["action_controller.request.request_parameters"] ||= normalize_parameters(super)
+      @env["action_controller.request.request_parameters"] ||= deep_munge(normalize_parameters(super) || {})
    end
    alias_method :request_parameters, :POST

@@ -469,6 +469,22 @@ def named_host?(host)
        !(host.nil? || /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.match(host))
      end

+      # Remove nils from the params hash
+      def deep_munge(hash)
+        hash.each do |k, v|
+          case v
+          when Array
+            v.grep(Hash) { |x| deep_munge(x) }
+            v.compact!
+            hash[k] = nil if v.empty?
+          when Hash
+            deep_munge(v)
+          end
+        end
+
+        hash
+      end
+
      # Convert nested Hashs to HashWithIndifferentAccess and replace
      # file upload hashs with UploadedFile objects
      def normalize_parameters(value)