Fix #8832 - Parse '{"person":[]}' JSON/XML as {'person' => []}. #9111

Merged
merged 1 commit into from Jan 30, 2013

Conversation

Projects
None yet
6 participants

jsomara commented Jan 29, 2013

submitting @ndbroadbent 's patch for the 3.0 stable branch, as the bug introduced by the fix for CVE-2013-0155 applies to 3.0 as well

please see #8862 for details on the issue

@mhuggins mhuggins commented on the diff Jan 29, 2013

actionpack/lib/action_dispatch/http/request.rb
@@ -263,9 +263,12 @@ def deep_munge(hash)
hash.each do |k, v|
case v
when Array
+ if v.size > 0 && v.all?(&:nil?)
+ hash[k] = nil
+ next
+ end
@mhuggins

mhuggins Jan 29, 2013

It looks like your code will convert this JSON:

{"person":[null]}

to this Ruby hash:

{"person": nil}

Is that right?

@ndbroadbent

ndbroadbent Jan 29, 2013

Contributor

Yes, that's right.

After thinking about it some more, I personally think [null] is a valid query, and the problem should be solved with something like .query_present?, that returns false for "", nil, [], [nil], [""], etc.

Member

steveklabnik commented Jan 29, 2013

3.0 stable does not receive bug fixes any more, so I cannot accept this, sorry.

tenderlove reopened this Jan 30, 2013

tenderlove merged commit 10513d2 into rails:3-0-stable Jan 30, 2013

Isn't this line still problematic? Shouldn't this be set to an empty array?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment