pvalena / rpms / rubygem-actionview

Forked from rpms/rubygem-actionview 6 years ago
Clone
Source Code
GIT

Files

copr epel7 f21 f22 f23 f24 f25 f26 f27 master prerelease rebase rebase-f35
  1.   f23
  2.   rubygem-actionview-4.2.5.2-secure_inline_with_params.patch
Blob Blame History Raw 
From f8e2fe8810d67adfcef8acd95b0e51a31de16acd Mon Sep 17 00:00:00 2001
From: Arthur Neves <arthurnn@gmail.com>
Date: Wed, 24 Feb 2016 20:29:10 -0500
Subject: [PATCH] Don't allow render(params) on views.

If `render(params)` is called in a view it should be protected the same
 way it is in the controllers. We should raise an error if thats happens.

Fix CVE-2016-2098.
---
 actionview/lib/action_view/renderer/renderer.rb |  4 ++++
 1 files changed, 4 insertions(+), 0 deletion(-)

diff --git a/actionview/lib/action_view/renderer/renderer.rb b/actionview/lib/action_view/renderer/renderer.rb
index 964b183..5ba7b2b 100644
--- a/actionview/lib/action_view/renderer/renderer.rb
+++ b/actionview/lib/action_view/renderer/renderer.rb
@@ -17,6 +17,10 @@ module ActionView
 
     # Main render entry point shared by AV and AC.
     def render(context, options)
+      if options.respond_to?(:permitted?) && !options.permitted?
+        raise ArgumentError, "render parameters are not permitted"
+      end
+
       if options.key?(:partial)
         render_partial(context, options)
       else
-- 
2.5.4 (Apple Git-61)
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.