Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Mass-assignment whitelist awareness. #1

Open
wants to merge 1 commit into from

2 participants

@oesmith
Collaborator

Uses a block instead of hash-assignment to avoid falling foul of mass
assignment whitelist protection.

Also adds attr_accessible to models to disallow mass-assignment. There's
negligible chance anybody ever writing some code that'll be vulnerable (I
hope), but it's worth having it in there so the tests exercise the block
change! :)

@oesmith oesmith Mass-assignment whitelist awareness.
Uses a block instead of hash-assignment to avoid falling foul of mass
assignment whitelist protection.

Adds attr_accessible to models to disallow mass-assignment.  There's
negligible chance anybody ever writing some code that'll be vulnerable (I
hope), but it's worth having it in there so the tests exercise the block
change! :)
31fd8c5
@travisbot

This pull request fails (merged 31fd8c5 into b3d6a1b).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Aug 24, 2012
  1. @oesmith

    Mass-assignment whitelist awareness.

    oesmith authored
    Uses a block instead of hash-assignment to avoid falling foul of mass
    assignment whitelist protection.
    
    Adds attr_accessible to models to disallow mass-assignment.  There's
    negligible chance anybody ever writing some code that'll be vulnerable (I
    hope), but it's worth having it in there so the tests exercise the block
    change! :)
This page is out of date. Refresh to see the latest.
View
1  app/models/openid_association.rb
@@ -1,2 +1,3 @@
class OpenidAssociation < OpenidAbstract
+ attr_accessible
end
View
1  app/models/openid_nonce.rb
@@ -1,4 +1,5 @@
class OpenidNonce < OpenidAbstract
+ attr_accessible
# attempt to scan timestamps (integers) first for fast access.
def self.exists_by_target?(timestamp, salt, target)
View
28 lib/openid/store/active_record.rb
@@ -12,15 +12,15 @@ class ActiveRecord < Interface
# on the character set of the server_url. In particular, expect to see
# unescaped non-url-safe characters in the server_url field.
def store_association(server_url, association)
- OpenidAssociation.create!(
- :server_url => server_url,
- :target => targetize(server_url),
- :handle => association.handle,
- :secret => association.secret,
- :issued_at => association.issued,
- :lifetime => association.lifetime,
- :assoc_type => association.assoc_type
- )
+ OpenidAssociation.create! do |n|
+ n.server_url = server_url
+ n.target = targetize(server_url)
+ n.handle = association.handle
+ n.secret = association.secret
+ n.issued_at = association.issued
+ n.lifetime = association.lifetime
+ n.assoc_type = association.assoc_type
+ end
true
end
@@ -108,11 +108,11 @@ def build_association(open_id_association)
end
def create_nonce(server_url, timestamp, salt)
- OpenidNonce.create!(
- :target => targetize(server_url),
- :server_url => server_url,
- :timestamp => timestamp
- )
+ OpenidNonce.create! do |n|
+ n.target = targetize(server_url)
+ n.server_url = server_url
+ n.timestamp = timestamp
+ end
true
end
Something went wrong with that request. Please try again.