Filters out file uploads #89

Open
ollym opened this Issue Jan 23, 2013 · 7 comments

3 participants

@ollym

In the latest master revision. Had to revert to the gem....

@rafaelfranca
Ruby on Rails member

Could you explain you issue better?

@ollym
form_for @user, multipart: true do |f|
   f.file_field :image
end

When using master branch:

params.require(:user).permit :image # => {}

When using gem:

params.require(:user).permit :image # => { image: ... }
@fxn
Ruby on Rails member

Can you try using the master branch of the gem? We whitelist scalar values now maybe there's an edge case there.

@ollym

@fxn Looks like you would have fixed in that latest commit. However I'm not sure why, but in the back of my mind I remember the file coming in as a Rack class? Maybe http://rack.rubyforge.org/doc/Multipart/UploadedFile.html ?

You need to write better test cases for this.

@fxn
Ruby on Rails member

It is not a matter of better tests. We have a strict list of whitelisted types, if the type is not there it is not a permitted scalar by definition.

The list of permitted scalars is new, if you confirm the type is legit and not included, then we will include it.

@ollym

@fxn What issue does this strict whitelisting solve?

@fxn
Ruby on Rails member

It is a first-line defense against unwanted injections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment