diff options
author | Robin Houston <robin.houston@gmail.com> | 2012-06-07 11:51:49 +0100 |
---|---|---|
committer | Robin Houston <robin.houston@gmail.com> | 2012-06-07 11:51:49 +0100 |
commit | 8205289477f0c13f4fba80cda069902bea09e4ad (patch) | |
tree | 84d54b668c2dfa6d359ae44206b66d65c2bed219 | |
parent | 5310c55e01d42cebbe7ede9e9a42e8f4dacc90d9 (diff) |
Monkey-patch for CVE-2012-2660
Stolen from FixMyTransport. Thanks @crowbot!
-rw-r--r-- | config/initializers/strip_nil_parameters_patch.rb | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/config/initializers/strip_nil_parameters_patch.rb b/config/initializers/strip_nil_parameters_patch.rb new file mode 100644 index 000000000..35d0a28c5 --- /dev/null +++ b/config/initializers/strip_nil_parameters_patch.rb @@ -0,0 +1,51 @@ +# Stolen from https://raw.github.com/mysociety/fixmytransport/fa9b014eb2628c300693e055f129cb8959772082/config/initializers/strip_nil_parameters_patch.rb + +# Monkey patch for CVE-2012-2660 on Rails 2.3.14 + +# Strip [nil] from parameters hash +# based on a pull request from @sebbacon +# https://github.com/rails/rails/pull/6580 + +module ActionController + class Request < Rack::Request + protected + def deep_munge(hash) + hash.each_value do |v| + case v + when Array + v.grep(Hash) { |x| deep_munge(x) } + when Hash + deep_munge(v) + end + end + + keys = hash.keys.find_all { |k| hash[k] == [nil] } + keys.each { |k| hash[k] = nil } + hash + end + + private + + def normalize_parameters(value) + case value + when Hash + if value.has_key?(:tempfile) + upload = value[:tempfile] + upload.extend(UploadedFile) + upload.original_path = value[:filename] + upload.content_type = value[:type] + upload + else + h = {} + value.each { |k, v| h[k] = normalize_parameters(v) } + deep_munge(h.with_indifferent_access) + end + when Array + value.map { |e| normalize_parameters(e) } + else + value + end + end + + end +end |