Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Filters out file uploads #89

Open
ollym opened this Issue · 7 comments

3 participants

Oliver Morgan Rafael Mendonça França Xavier Noria
Oliver Morgan

In the latest master revision. Had to revert to the gem....

Rafael Mendonça França

Could you explain you issue better?

Oliver Morgan
form_for @user, multipart: true do |f|
   f.file_field :image
end

When using master branch:

params.require(:user).permit :image # => {}

When using gem:

params.require(:user).permit :image # => { image: ... }
Xavier Noria
Owner

Can you try using the master branch of the gem? We whitelist scalar values now maybe there's an edge case there.

Oliver Morgan

@fxn Looks like you would have fixed in that latest commit. However I'm not sure why, but in the back of my mind I remember the file coming in as a Rack class? Maybe http://rack.rubyforge.org/doc/Multipart/UploadedFile.html ?

You need to write better test cases for this.

Xavier Noria
Owner

It is not a matter of better tests. We have a strict list of whitelisted types, if the type is not there it is not a permitted scalar by definition.

The list of permitted scalars is new, if you confirm the type is legit and not included, then we will include it.

Oliver Morgan

@fxn What issue does this strict whitelisting solve?

Xavier Noria
Owner

It is a first-line defense against unwanted injections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.