Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
rubygem-actionpack-5_1
0003-CVE-2021-22885.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-CVE-2021-22885.patch of Package rubygem-actionpack-5_1
From 3eb9e74c287750a9fe11f700fc96d3be1e83aa35 Mon Sep 17 00:00:00 2001 From: Gannon McGibbon <gannon.mcgibbon@shopify.com> Date: Thu, 18 Feb 2021 13:17:08 -0500 Subject: [PATCH] Prevent string polymorphic route arguments url_for supports building polymorphic URLs via an array of arguments (usually symbols and records). If an array is passed, strings can result in unwanted route helper calls. CVE-2021-22885 --- .../routing/polymorphic_routes.rb | 12 +++-- 4 files changed, 79 insertions(+), 10 deletions(-) diff --git a/lib/action_dispatch/routing/polymorphic_routes.rb b/lib/action_dispatch/routing/polymorphic_routes.rb index 6da869c0c2..84b78e1cb2 100644 --- a/lib/action_dispatch/routing/polymorphic_routes.rb +++ b/lib/action_dispatch/routing/polymorphic_routes.rb @@ -286,10 +286,12 @@ def handle_list(list) args = [] - route = record_list.map { |parent| + route = record_list.map do |parent| case parent - when Symbol, String + when Symbol parent.to_s + when String + raise(ArgumentError, "Please use symbols for polymorphic route arguments.") when Class args << parent parent.model_name.singular_route_key @@ -297,12 +299,14 @@ def handle_list(list) args << parent.to_model parent.to_model.model_name.singular_route_key end - } + end route << case record - when Symbol, String + when Symbol record.to_s + when String + raise(ArgumentError, "Please use symbols for polymorphic route arguments.") when Class @key_strategy.call record.model_name else
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor