Monkey-patch for CVE-2012-2660

Stolen from FixMyTransport. Thanks @crowbot!

1 files changed, 51 insertions, 0 deletions

diff --git a/config/initializers/strip_nil_parameters_patch.rb b/config/initializers/strip_nil_parameters_patch.rb
new file mode 100644
index 000000000..35d0a28c5
--- /dev/null
+++ b/config/initializers/strip_nil_parameters_patch.rb
@@ -0,0 +1,51 @@
+# Stolen from https://raw.github.com/mysociety/fixmytransport/fa9b014eb2628c300693e055f129cb8959772082/config/initializers/strip_nil_parameters_patch.rb
+
+# Monkey patch for CVE-2012-2660 on Rails 2.3.14
+
+# Strip [nil] from parameters hash
+# based on a pull request from @sebbacon
+# https://github.com/rails/rails/pull/6580
+
+module ActionController
+  class Request < Rack::Request
+    protected
+      def deep_munge(hash)
+        hash.each_value do |v|
+          case v
+          when Array
+            v.grep(Hash) { |x| deep_munge(x) }
+          when Hash
+            deep_munge(v)
+          end
+        end
+
+        keys = hash.keys.find_all { |k| hash[k] == [nil] }
+        keys.each { |k| hash[k] = nil }
+        hash
+      end
+
+    private
+
+      def normalize_parameters(value)
+        case value
+        when Hash
+          if value.has_key?(:tempfile)
+            upload = value[:tempfile]
+            upload.extend(UploadedFile)
+            upload.original_path = value[:filename]
+            upload.content_type = value[:type]
+            upload
+          else
+            h = {}
+            value.each { |k, v| h[k] = normalize_parameters(v) }
+            deep_munge(h.with_indifferent_access)
+          end
+        when Array
+          value.map { |e| normalize_parameters(e) }
+        else
+          value
+        end
+      end
+
+  end
+end