Browse files

Sorry, wrong patch applied.

  • Loading branch information...
1 parent 791407d commit d9f037ea1f5075c283f5a66f0fc02114a7260c9a Andreas Scherer committed Feb 18, 2009
Showing with 2 additions and 6 deletions.
  1. +2 −6 railties/guides/source/security.textile
@@ -528,7 +528,7 @@ Ruby uses a slightly different approach than many other languages to match the e
class File < ActiveRecord::Base
- validates_format_of :name, :with => /^[\w\.\-\+]+$/ # [1]
+ validates_format_of :name, :with => /^[\w\.\-\+]+$/
@@ -541,13 +541,9 @@ file.txt%0A<script>alert('hello')</script>
Whereas %0A is a line feed in URL encoding, so Rails automatically converts it to "file.txt\n&lt;script&gt;alert('hello')&lt;/script&gt;". This file name passes the filter because the regular expression matches – up to the line end, the rest does not matter. The correct expression should read:
-/\A[\w\.\-\+]+\z/ # [2]
-fn1. Obviously, this regular expression gets rendered incorrectly by Textile. Could the original author please see into this?
-fn2. And this too, please.
h4. Privilege escalation
-- _Changing a single parameter may give the user unauthorized access. Remember that every parameter may be changed, no matter how much you hide or obfuscate it._

0 comments on commit d9f037e

Please sign in to comment.