Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rails::MailersController] Do not leak I18n global setting changes #35997

Merged
merged 1 commit into from
Apr 16, 2019
Merged

[Rails::MailersController] Do not leak I18n global setting changes #35997

merged 1 commit into from
Apr 16, 2019

Conversation

tjoyal
Copy link
Contributor

@tjoyal tjoyal commented Apr 16, 2019

Summary

Originally added here: #31596

Using the action mailer specifying a locale to the preview would leak a global I18n setting change (I18n.locale).

Since it is only exposed in development, this is not that big of a deal, only corrupt instances running in development.

rails/actionmailer/lib/action_mailer/railtie.rb

Line 29 in ed9acb4

options.show_previews = Rails.env.development? if options.show_previews.nil?

rails/actionmailer/lib/action_mailer/railtie.rb

Lines 85 to 90 in b49e38b

if options.show_previews
app.routes.prepend do
get "/rails/mailers" => "rails/mailers#index", internal: true
get "/rails/mailers/*path" => "rails/mailers#preview", internal: true
end
end

Using I18n.with_locale(locale) {...} will make certain the previous value is restored.

@rails-bot rails-bot bot added the railties label Apr 16, 2019
tjoyal
tjoyal commented Apr 16, 2019
View reviewed changes
railties/lib/rails/mailers_controller.rb
@@ -5,8 +5,9 @@
class Rails::MailersController < Rails::ApplicationController # :nodoc:
prepend_view_path ActionDispatch::DebugView::RESCUES_TEMPLATE_PATH

around_action :set_locale, only: :preview
before_action :find_preview, only: :preview
before_action :require_local!, unless: :show_previews?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is gated by the route to simply not be present, I'm not certain why it is required. didn't alter it as part of the PR it could be done on the side if we desire.

@rafaelfranca rafaelfranca merged commit 19df75d into rails:master Apr 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
railties
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tjoyal @rafaelfranca