Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Filters out file uploads #89

Open
ollym opened this Issue · 7 comments

3 participants

@ollym

In the latest master revision. Had to revert to the gem....

@rafaelfranca

Could you explain you issue better?

@ollym
form_for @user, multipart: true do |f|
   f.file_field :image
end

When using master branch:

params.require(:user).permit :image # => {}

When using gem:

params.require(:user).permit :image # => { image: ... }
@fxn
Owner

Can you try using the master branch of the gem? We whitelist scalar values now maybe there's an edge case there.

@ollym

@fxn Looks like you would have fixed in that latest commit. However I'm not sure why, but in the back of my mind I remember the file coming in as a Rack class? Maybe http://rack.rubyforge.org/doc/Multipart/UploadedFile.html ?

You need to write better test cases for this.

@fxn
Owner

It is not a matter of better tests. We have a strict list of whitelisted types, if the type is not there it is not a permitted scalar by definition.

The list of permitted scalars is new, if you confirm the type is legit and not included, then we will include it.

@ollym

@fxn What issue does this strict whitelisting solve?

@fxn
Owner

It is a first-line defense against unwanted injections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.