From 661da266b94909574426fd1121ef13b800e01b9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= <rafael@franca.dev>
Date: Thu, 11 Jun 2020 10:15:49 -0400
Subject: [PATCH] Only allow ActionableErrors if show_detailed_exceptions is
 enabled

[CVE-2020-8185]
---
 .../middleware/actionable_exceptions.rb                |  2 +-
 actionpack/test/dispatch/actionable_exceptions_test.rb | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/actionpack/lib/action_dispatch/middleware/actionable_exceptions.rb b/actionpack/lib/action_dispatch/middleware/actionable_exceptions.rb
index e94cc4660339b..266fd92ce9856 100644
--- a/actionpack/lib/action_dispatch/middleware/actionable_exceptions.rb
+++ b/actionpack/lib/action_dispatch/middleware/actionable_exceptions.rb
@@ -23,7 +23,7 @@ def call(env)
 
     private
       def actionable_request?(request)
-        request.show_exceptions? && request.post? && request.path == endpoint
+        request.get_header("action_dispatch.show_detailed_exceptions")  && request.post? && request.path == endpoint
       end
 
       def redirect_to(location)
diff --git a/actionpack/test/dispatch/actionable_exceptions_test.rb b/actionpack/test/dispatch/actionable_exceptions_test.rb
index 9215a91e9c167..bb3263dd7291d 100644
--- a/actionpack/test/dispatch/actionable_exceptions_test.rb
+++ b/actionpack/test/dispatch/actionable_exceptions_test.rb
@@ -30,7 +30,7 @@ class ActionError < StandardError
       error: ActionError.name,
       action: "Successful action",
       location: "/",
-    }
+    }, headers: { "action_dispatch.show_detailed_exceptions" => true }
 
     assert_equal ["Action!"], Actions
 
@@ -43,7 +43,7 @@ class ActionError < StandardError
       error: ActionError.name,
       action: "Successful action",
       location: "/",
-    }, headers: { "action_dispatch.show_exceptions" => false }
+    }, headers: { "action_dispatch.show_detailed_exceptions" => false }
 
     assert_empty Actions
   end
@@ -54,7 +54,7 @@ class ActionError < StandardError
         error: ActionError.name,
         action: "Failed action",
         location: "/",
-      }
+      }, headers: { "action_dispatch.show_detailed_exceptions" => true }
     end
   end
 
@@ -64,7 +64,7 @@ class ActionError < StandardError
         error: RuntimeError.name,
         action: "Inexistent action",
         location: "/",
-      }
+      }, headers: { "action_dispatch.show_detailed_exceptions" => true }
     end
   end
 
@@ -74,7 +74,7 @@ class ActionError < StandardError
         error: "",
         action: "Inexistent action",
         location: "/",
-      }
+      }, headers: { "action_dispatch.show_detailed_exceptions" => true }
     end
   end
 end