Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Filters out file uploads #89

ollym opened this Issue · 7 comments

3 participants

Oliver Morgan Rafael Mendonça França Xavier Noria
Oliver Morgan

In the latest master revision. Had to revert to the gem....

Rafael Mendonça França

Could you explain you issue better?

Oliver Morgan
form_for @user, multipart: true do |f|
   f.file_field :image

When using master branch:

params.require(:user).permit :image # => {}

When using gem:

params.require(:user).permit :image # => { image: ... }
Xavier Noria

Can you try using the master branch of the gem? We whitelist scalar values now maybe there's an edge case there.

Oliver Morgan

@fxn Looks like you would have fixed in that latest commit. However I'm not sure why, but in the back of my mind I remember the file coming in as a Rack class? Maybe ?

You need to write better test cases for this.

Xavier Noria

It is not a matter of better tests. We have a strict list of whitelisted types, if the type is not there it is not a permitted scalar by definition.

The list of permitted scalars is new, if you confirm the type is legit and not included, then we will include it.

Oliver Morgan

@fxn What issue does this strict whitelisting solve?

Xavier Noria

It is a first-line defense against unwanted injections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.