Commit 9eb7030f authored by Francisco Juan's avatar Francisco Juan

Merge tag 'tags/v2.7.2'

parents a475d02d 8d56d327
......@@ -115,4 +115,32 @@ module ActionController
end
end
end
# Backported fix for CVE-2012-2660
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
# TODO: Remove this once we are on Rails >= 3.2.4
require 'action_controller/request'
class Request
protected
# Remove nils from the params hash
def deep_munge(hash)
hash.each_value do |v|
case v
when Array
v.grep(Hash) { |x| deep_munge(x) }
when Hash
deep_munge(v)
end
end
keys = hash.keys.find_all { |k| hash[k] == [nil] }
keys.each { |k| hash[k] = nil }
hash
end
def parse_query(qs)
deep_munge(super)
end
end
end
= ChiliProject changelog
== 2012-06-09 v2.7.2
* Bug #1025: Rails: Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)
== 2012-04-04 v2.7.1
* Bug #922: Mass assignment
......
......@@ -19,7 +19,7 @@ module ChiliProject
MAJOR = 2
MINOR = 7
PATCH = 1
PATCH = 2
TINY = PATCH # Redmine compat
# Used by semver to define the special version (if any).
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment