| @@ -85,4 +85,30 module ActionController | |||||
| 85 | end |
|
85 | end | |
| 86 | end |
|
86 | end | |
| 87 | end |
|
87 | end | |
|
|
88 | ||||
|
|
89 | # CVE-2012-2660 | |||
|
|
90 | # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f | |||
|
|
91 | class Request | |||
|
|
92 | protected | |||
|
|
93 | ||||
|
|
94 | # Remove nils from the params hash | |||
|
|
95 | def deep_munge(hash) | |||
|
|
96 | hash.each_value do |v| | |||
|
|
97 | case v | |||
|
|
98 | when Array | |||
|
|
99 | v.grep(Hash) { |x| deep_munge(x) } | |||
|
|
100 | when Hash | |||
|
|
101 | deep_munge(v) | |||
|
|
102 | end | |||
|
|
103 | end | |||
|
|
104 | ||||
|
|
105 | keys = hash.keys.find_all { |k| hash[k] == [nil] } | |||
|
|
106 | keys.each { |k| hash[k] = nil } | |||
|
|
107 | hash | |||
|
|
108 | end | |||
|
|
109 | ||||
|
|
110 | def parse_query(qs) | |||
|
|
111 | deep_munge(super) | |||
|
|
112 | end | |||
|
|
113 | end | |||
| 88 | end |
|
114 | end | |
General Comments 0
You need to be logged in to leave comments.
Login now