Permalink
Browse files

ActionDispatch::Http::UploadedFile is a permitted scalar

  • Loading branch information...
1 parent 44cf253 commit 9f0c7c4c03a84dcc509a34c6c41161876bcb0757 @fxn fxn committed Jan 23, 2013
Showing with 5 additions and 2 deletions.
  1. +1 −1 README.rdoc
  2. +2 −0 lib/action_controller/parameters.rb
  3. +2 −1 test/parameters_permit_test.rb
View
@@ -37,7 +37,7 @@ Given
the key +:id+ will pass the whitelisting if it appears in +params+ and it has a permitted scalar value associated. Otherwise the key is going to be filtered out, so arrays, hashes, or any other objects cannot be injected.
-The permitted scalar types are +String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+, +Date+, +Time+, +DateTime+, +StringIO+, and +IO+.
+The permitted scalar types are +String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+, +Date+, +Time+, +DateTime+, +StringIO+, +IO+, and +ActionDispatch::Http::UploadedFile+.
To declare that the value in +params+ must be an array of permitted scalar values map the key to an empty array:
@@ -5,6 +5,7 @@
require 'active_support/concern'
require 'active_support/core_ext/hash/indifferent_access'
require 'action_controller'
+require 'action_dispatch/http/upload'
module ActionController
class ParameterMissing < IndexError
@@ -141,6 +142,7 @@ def convert_hashes_to_parameters(key, value)
# DateTimes are Dates, we document the type but avoid the redundant check.
StringIO,
IO,
+ ActionDispatch::Http::UploadedFile,
]
def permitted_scalar?(value)
@@ -1,5 +1,6 @@
require 'test_helper'
require 'action_controller/parameters'
+require 'action_dispatch/http/upload'
class NestedParametersTest < ActiveSupport::TestCase
def assert_filtered_out(params, key)
@@ -26,7 +27,7 @@ def assert_filtered_out(params, key)
values += [0, 1.0, 2**128, BigDecimal.new(1)]
values += [true, false]
values += [Date.today, Time.now, DateTime.now]
- values += [StringIO.new]
+ values += [StringIO.new, STDOUT, ActionDispatch::Http::UploadedFile.new(:tempfile => __FILE__)]
values.each do |value|
params = ActionController::Parameters.new(:id => value)

0 comments on commit 9f0c7c4

Please sign in to comment.