Package: rails / 2:4.1.8-1+deb8u4

CVE-2016-2098.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
From 1b84d905801125fcca0c8f43bf6af7d7872ac87e Mon Sep 17 00:00:00 2001
From: Arthur Neves <arthurnn@gmail.com>
Date: Wed, 24 Feb 2016 20:29:10 -0500
Subject: [PATCH 2/2] Don't allow render(params) on views.

If `render(params)` is called in a view it should be protected the same
 way it is in the controllers. We should raise an error if thats happens.

Fix CVE-2016-2098.
---
 actionpack/test/controller/render_test.rb       | 24 +++++++++++++++++++++++-
 actionview/lib/action_view/renderer/renderer.rb |  4 ++++
 actionview/test/template/render_test.rb         | 19 +++++++++++++++++++
 3 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
index 0fcbb86..7bdf65c 100644
--- a/actionpack/test/controller/render_test.rb
+++ b/actionpack/test/controller/render_test.rb
@@ -258,6 +258,16 @@ class MetalTestController < ActionController::Metal
   end
 end
 
+class MetalWithoutAVTestController < ActionController::Metal
+  include AbstractController::Rendering
+  include ActionController::Rendering
+  include ActionController::StrongParameters
+
+  def dynamic_params_render
+    render params
+  end
+end
+
 class ExpiresInRenderTest < ActionController::TestCase
   tests TestController
 
@@ -294,9 +304,10 @@ class ExpiresInRenderTest < ActionController::TestCase
   end
 
   def test_dynamic_render_file_hash
-    assert_raises ArgumentError do
+    e = assert_raises ArgumentError do
       get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } }
     end
+    assert_equal "render parameters are not permitted", e.message
   end
 
   def test_expires_in_header
@@ -473,6 +484,17 @@ class MetalRenderTest < ActionController::TestCase
   end
 end
 
+class MetalRenderWithoutAVTest < ActionController::TestCase
+  tests MetalWithoutAVTestController
+
+  def test_dynamic_params_render
+    e = assert_raises ArgumentError do
+      get :dynamic_params_render, { inline: '<%= RUBY_VERSION %>' }
+    end
+    assert_equal "render parameters are not permitted", e.message
+  end
+end
+
 class HeadRenderTest < ActionController::TestCase
   tests TestController
 
diff --git a/actionview/lib/action_view/renderer/renderer.rb b/actionview/lib/action_view/renderer/renderer.rb
index 964b183..5ba7b2b 100644
--- a/actionview/lib/action_view/renderer/renderer.rb
+++ b/actionview/lib/action_view/renderer/renderer.rb
@@ -17,6 +17,10 @@ module ActionView
 
     # Main render entry point shared by AV and AC.
     def render(context, options)
+      if options.respond_to?(:permitted?) && !options.permitted?
+        raise ArgumentError, "render parameters are not permitted"
+      end
+
       if options.key?(:partial)
         render_partial(context, options)
       else
diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb
index caf6d13..b3de94f 100644
--- a/actionview/test/template/render_test.rb
+++ b/actionview/test/template/render_test.rb
@@ -149,6 +149,25 @@ module RenderTestCases
     end
   end
 
+  def test_render_with_strong_parameters
+    params = { :inline => '<%= RUBY_VERSION %>' }
+    def params.permitted?
+      false
+    end
+    e = assert_raises ArgumentError do
+      @view.render(params)
+    end
+    assert_equal "render parameters are not permitted", e.message
+  end
+
+  def test_render_with_permitted_strong_parameters
+    params = { inline: "<%= 'hello' %>" }
+    def params.permitted?
+      true
+    end
+    assert_equal 'hello', @view.render(params)
+  end
+
   def test_render_partial
     assert_equal "only partial", @view.render(:partial => "test/partial_only")
   end
-- 
2.5.4 (Apple Git-61)