Don't accept parameters as argument for redirect to [via @homakov]

Closes #16170
rails · Jul 16, 2014 · 973490a · 973490a
1 parent 0997ceb
commit 973490a
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -64,6 +64,7 @@ module Redirecting
     # behavior for this case by rescuing ActionController::RedirectBackError.
     def redirect_to(options = {}, response_status = {}) #:doc:
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
+      raise ActionControllerError.new("Cannot redirect to a parameter hash!") if options.is_a?(ActionController::Parameters)
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_status)

diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
@@ -90,6 +90,10 @@ def redirect_to_nil
     redirect_to nil
   end
 
+  def redirect_to_params
+    redirect_to ActionController::Parameters.new(status: 200, protocol: 'javascript', f: '%0Aeval(name)')
+  end
+
   def redirect_to_with_block
     redirect_to proc { "http://www.rubyonrails.org/" }
   end
@@ -281,6 +285,12 @@ def test_redirect_to_nil
     end
   end
 
+  def test_redirect_to_params
+    assert_raise(ActionController::ActionControllerError) do
+      get :redirect_to_params
+    end
+  end
+
   def test_redirect_to_with_block
     get :redirect_to_with_block
     assert_response :redirect