Permalink
Browse files

Don't render arbitrary RABL templates

This could be used to execute arbitrary files on the host system, as
well as disclosing the existence of files on the system.

Signed-off-by: Jeff Dutil <JDutil@BurlingtonWebApps.com>
  • Loading branch information...
jhawthorn authored and JDutil committed Jul 24, 2015
1 parent 203657e commit a0cc2752ad5f1ca1d0015b8e8e185104e5830a2a
Showing with 2 additions and 2 deletions.
  1. +2 −2 api/app/views/spree/api/taxonomies/show.v1.rabl
@@ -1,7 +1,7 @@
object @taxonomy
if set = params[:set]
extends "spree/api/taxonomies/#{set}"
if params[:set] == 'nested'
extends "spree/api/taxonomies/nested"
else
attributes *taxonomy_attributes

0 comments on commit a0cc275

Please sign in to comment.