Remove nils from parameters arrays: CVE-2012-2694

presidentbeef · Jun 12, 2012 · 9229c4f · 9229c4f
1 parent 13214ba
commit 9229c4f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb
@@ -489,7 +489,7 @@ def normalize_parameters(value)
           if value.length == 1 and value[0] == nil
             value = nil
           else
-            value.map { |e| normalize_parameters(e) }
+            value.map { |e| normalize_parameters(e) }.compact
           end
         else
           value

diff --git a/actionpack/test/controller/request/query_string_parsing_test.rb b/actionpack/test/controller/request/query_string_parsing_test.rb
@@ -115,6 +115,11 @@ def teardown
     assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]")
   end
 
+  test "remove nils from query parameter arrays" do
+    assert_parses({"action" => ['1']}, "action[]=1&action[]")
+    assert_parses({"action" => ['1', '2']}, "action[]=1&action[]&action[]=2")
+  end
+
   private
     def assert_parses(expected, actual)
       with_routing do |set|