From f8e2fe8810d67adfcef8acd95b0e51a31de16acd Mon Sep 17 00:00:00 2001
From: Arthur Neves <arthurnn@gmail.com>
Date: Wed, 24 Feb 2016 20:29:10 -0500
Subject: [PATCH] Don't allow render(params) on views.
If `render(params)` is called in a view it should be protected the same
way it is in the controllers. We should raise an error if thats happens.
Fix CVE-2016-2098.
---
actionpack/test/controller/render_test.rb | 24 +++++++++++++++++++++++-
1 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
index a2d87a8..d607405 100644
--- a/actionpack/test/controller/render_test.rb
+++ b/actionpack/test/controller/render_test.rb
@@ -280,6 +280,16 @@ class MetalTestController < ActionController::Metal
end
end
+class MetalWithoutAVTestController < ActionController::Metal
+ include AbstractController::Rendering
+ include ActionController::Rendering
+ include ActionController::StrongParameters
+
+ def dynamic_params_render
+ render params
+ end
+end
+
class ExpiresInRenderTest < ActionController::TestCase
tests TestController
@@ -299,9 +309,10 @@ class ExpiresInRenderTest < ActionController::TestCase
end
def test_dynamic_render_file_hash
- assert_raises ArgumentError do
+ e = assert_raises ArgumentError do
get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } }
end
+ assert_equal "render parameters are not permitted", e.message
end
def test_expires_in_header
@@ -500,6 +511,17 @@ class MetalRenderTest < ActionController::TestCase
end
end
+class MetalRenderWithoutAVTest < ActionController::TestCase
+ tests MetalWithoutAVTestController
+
+ def test_dynamic_params_render
+ e = assert_raises ArgumentError do
+ get :dynamic_params_render, { inline: '<%= RUBY_VERSION %>' }
+ end
+ assert_equal "render parameters are not permitted", e.message
+ end
+end
+
class HeadRenderTest < ActionController::TestCase
tests TestController
--
2.5.4 (Apple Git-61)