ActionDispatch::Http::UploadedFile is a permitted scalar

README.rdoc

@@ -37,7 +37,7 @@ Given
 
 the key +:id+ will pass the whitelisting if it appears in +params+ and it has a permitted scalar value associated. Otherwise the key is going to be filtered out, so arrays, hashes, or any other objects cannot be injected.
 
-The permitted scalar types are +String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+, +Date+, +Time+, +DateTime+, +StringIO+, and +IO+.
+The permitted scalar types are +String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+, +Date+, +Time+, +DateTime+, +StringIO+, +IO+, and +ActionDispatch::Http::UploadedFile+.
 
 To declare that the value in +params+ must be an array of permitted scalar values map the key to an empty array:
 

lib/action_controller/parameters.rb

@@ -5,6 +5,7 @@
 require 'active_support/concern'
 require 'active_support/core_ext/hash/indifferent_access'
 require 'action_controller'
+require 'action_dispatch/http/upload'
 
 module ActionController
   class ParameterMissing < IndexError
@@ -141,6 +142,7 @@ def convert_hashes_to_parameters(key, value)
         # DateTimes are Dates, we document the type but avoid the redundant check.
         StringIO,
         IO,
+        ActionDispatch::Http::UploadedFile,
       ]
 
       def permitted_scalar?(value)

test/parameters_permit_test.rb

@@ -1,5 +1,6 @@
 require 'test_helper'
 require 'action_controller/parameters'
+require 'action_dispatch/http/upload'
 
 class NestedParametersTest < ActiveSupport::TestCase
   def assert_filtered_out(params, key)
@@ -26,7 +27,7 @@ def assert_filtered_out(params, key)
     values += [0, 1.0, 2**128, BigDecimal.new(1)]
     values += [true, false]
     values += [Date.today, Time.now, DateTime.now]
-    values += [StringIO.new]
+    values += [StringIO.new, STDOUT, ActionDispatch::Http::UploadedFile.new(:tempfile => __FILE__)]
 
     values.each do |value|
       params = ActionController::Parameters.new(:id => value)