diff --git lib/action_view/template/resolver.rb.orig lib/action_view/template/resolver.rb
index a508a68..4fda93f 100644
--- lib/action_view/template/resolver.rb.orig
+++ lib/action_view/template/resolver.rb
@@ -63,7 +63,7 @@ module ActionView
end
def query(path, exts, formats)
- query = File.join(@path, path)
+ query = escape_entry File.join(@path, path)
exts.each do |ext|
query << '{' << ext.map {|e| e && ".#{e}" }.join(',') << ',}'
@@ -88,6 +88,10 @@ module ActionView
templates
end
+ def escape_entry(entry)
+ entry.gsub(/(\*|\[|\]|\{|\}|\?)/, "\\\\\\1")
+ end
+
# Extract handler and formats from path. If a format cannot be a found neither
# from the path, or the handler, we should return the array of formats given
# to the resolver.
diff --git test/controller/render_test.rb.orig test/controller/render_test.rb
index c5c79c1..69112f0 100644
--- test/controller/render_test.rb.orig
+++ test/controller/render_test.rb
@@ -396,6 +396,14 @@ class TestController < ActionController::Base
render :template => "test/hello_world"
end
+ def render_with_explicit_unescaped_template
+ render :template => "test/h*llo_world"
+ end
+
+ def render_with_explicit_escaped_template
+ render :template => "test/hello_w*rld"
+ end
+
def render_with_explicit_string_template
render "test/hello_world"
end
@@ -1057,6 +1065,12 @@ class RenderTest < ActionController::TestCase
assert_response :success
end
+ def test_render_with_explicit_unescaped_template
+ assert_raise(ActionView::MissingTemplate) { get :render_with_explicit_unescaped_template }
+ get :render_with_explicit_escaped_template
+ assert_equal "Hello w*rld!", @response.body
+ end
+
def test_render_with_explicit_string_template
get :render_with_explicit_string_template
assert_equal "<html>Hello world!</html>", @response.body
diff --git test/fixtures/test/hello_w*rld.erb test/fixtures/test/hello_w*rld.erb
new file mode 100644
index 0000000..bc8fa5e
--- /dev/null
+++ test/fixtures/test/hello_w*rld.erb
@@ -0,0 +1 @@
+Hello w*rld!
\ No newline at end of file