File CVE-2021-22885.patch of Package rubygem-actionpack-4_2

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-22885.patch of Package rubygem-actionpack-4_2 (Revision f012eea2845fd52f9d99f4c3bc6eb65a)

Currently displaying revision f012eea2845fd52f9d99f4c3bc6eb65a , Show latest

From 3eb9e74c287750a9fe11f700fc96d3be1e83aa35 Mon Sep 17 00:00:00 2001
From: Gannon McGibbon <gannon.mcgibbon@shopify.com>
Date: Thu, 18 Feb 2021 13:17:08 -0500
Subject: [PATCH] Prevent string polymorphic route arguments

url_for supports building polymorphic URLs via an array
of arguments (usually symbols and records). If an array is passed,
strings can result in unwanted route helper calls.

CVE-2021-22885
---
 .../routing/polymorphic_routes.rb             | 12 +++--
 4 files changed, 79 insertions(+), 10 deletions(-)

diff --git a/lib/action_dispatch/routing/polymorphic_routes.rb b/lib/action_dispatch/routing/polymorphic_routes.rb
index 6da869c0c2..84b78e1cb2 100644
--- a/lib/action_dispatch/routing/polymorphic_routes.rb
+++ b/lib/action_dispatch/routing/polymorphic_routes.rb
@@ -274,10 +274,12 @@ def handle_list(list)
 
           args = []
 
-          route  = record_list.map { |parent|
+          route = record_list.map do |parent|
             case parent
-            when Symbol, String
+            when Symbol
               parent.to_s
+            when String
+              raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
             when Class
               args << parent
               parent.model_name.singular_route_key
@@ -285,12 +287,14 @@ def handle_list(list)
               args << parent.to_model
               parent.to_model.model_name.singular_route_key
             end
-          }
+          end
 
           route <<
           case record
-          when Symbol, String
+          when Symbol
             record.to_s
+          when String
+            raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
           when Class
             @key_strategy.call record.model_name
           else

Places

File CVE-2021-22885.patch of Package rubygem-actionpack-4_2 (Revision f012eea2845fd52f9d99f4c3bc6eb65a)

Places