pvalena / rpms / rubygem-actionview

Forked from rpms/rubygem-actionview 6 years ago
Clone
Source Code
GIT

Files

copr epel7 f21 f22 f23 f24 f25 f26 f27 master prerelease rebase rebase-f35
  1.   f23
  2.   rubygem-actionview-4.2.5.2-secure_inline_with_params-tests.patch
Blob Blame History Raw 
From f8e2fe8810d67adfcef8acd95b0e51a31de16acd Mon Sep 17 00:00:00 2001
From: Arthur Neves <arthurnn@gmail.com>
Date: Wed, 24 Feb 2016 20:29:10 -0500
Subject: [PATCH] Don't allow render(params) on views.

If `render(params)` is called in a view it should be protected the same
 way it is in the controllers. We should raise an error if thats happens.

Fix CVE-2016-2098.
---
 actionview/test/template/render_test.rb         | 19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletion(-)

diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb
index 6b65bfb..b0af6ea 100644
--- a/actionview/test/template/render_test.rb
+++ b/actionview/test/template/render_test.rb
@@ -148,6 +148,25 @@ module RenderTestCases
     end
   end
 
+  def test_render_with_strong_parameters
+    params = { :inline => '<%= RUBY_VERSION %>' }
+    def params.permitted?
+      false
+    end
+    e = assert_raises ArgumentError do
+      @view.render(params)
+    end
+    assert_equal "render parameters are not permitted", e.message
+  end
+
+  def test_render_with_permitted_strong_parameters
+    params = { inline: "<%= 'hello' %>" }
+    def params.permitted?
+      true
+    end
+    assert_equal 'hello', @view.render(params)
+  end
+
   def test_render_partial
     assert_equal "only partial", @view.render(:partial => "test/partial_only")
   end
-- 
2.5.4 (Apple Git-61)
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.