Permalink
Browse files

Strip [nil] from parameters hash.

Thanks to Ben Murphy for reporting this!

CVE-2012-2660
  • Loading branch information...
tenderlove committed May 30, 2012
1 parent 71f7917 commit dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d
@@ -247,6 +247,28 @@ def local?
LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
end
+ protected
+
+ # Remove nils from the params hash
+ def deep_munge(hash)
+ hash.each_value do |v|
+ case v
+ when Array
+ v.grep(Hash) { |x| deep_munge(x) }
+ when Hash
+ deep_munge(v)
+ end
+ end
+
+ keys = hash.keys.find_all { |k| hash[k] == [nil] }
+ keys.each { |k| hash[k] = nil }
+ hash
+ end
+
+ def parse_query(qs)
+ deep_munge(super)
+ end
+
private
def check_method(name)
@@ -81,7 +81,12 @@ def teardown
end
test "query string without equal" do
- assert_parses({ "action" => nil }, "action")
+ assert_parses({"action" => nil}, "action")
+ assert_parses({"action" => {"foo" => nil}}, "action[foo]")
+ assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar]")
+ assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar][]")
+ assert_parses({"action" => {"foo" => nil}}, "action[foo][]")
+ assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]")
end
test "query string with empty key" do

0 comments on commit dff6db1

Please sign in to comment.