diff options
| -rw-r--r-- | config/initializers/strip_nil_parameters_patch.rb | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/config/initializers/strip_nil_parameters_patch.rb b/config/initializers/strip_nil_parameters_patch.rb new file mode 100644 index 000000000..35d0a28c5 --- /dev/null +++ b/config/initializers/strip_nil_parameters_patch.rb @@ -0,0 +1,51 @@ +# Stolen from https://raw.github.com/mysociety/fixmytransport/fa9b014eb2628c300693e055f129cb8959772082/config/initializers/strip_nil_parameters_patch.rb + +# Monkey patch for CVE-2012-2660 on Rails 2.3.14 + +# Strip [nil] from parameters hash +# based on a pull request from @sebbacon +# https://github.com/rails/rails/pull/6580 + +module ActionController + class Request < Rack::Request + protected + def deep_munge(hash) + hash.each_value do |v| + case v + when Array + v.grep(Hash) { |x| deep_munge(x) } + when Hash + deep_munge(v) + end + end + + keys = hash.keys.find_all { |k| hash[k] == [nil] } + keys.each { |k| hash[k] = nil } + hash + end + + private + + def normalize_parameters(value) + case value + when Hash + if value.has_key?(:tempfile) + upload = value[:tempfile] + upload.extend(UploadedFile) + upload.original_path = value[:filename] + upload.content_type = value[:type] + upload + else + h = {} + value.each { |k, v| h[k] = normalize_parameters(v) } + deep_munge(h.with_indifferent_access) + end + when Array + value.map { |e| normalize_parameters(e) } + else + value + end + end + + end +end |