git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/1.4-stable@9767 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/1.4.3
end | end | ||||
end | end | ||||
end | end | ||||
# CVE-2012-2660 | |||||
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f | |||||
class Request | |||||
protected | |||||
# Remove nils from the params hash | |||||
def deep_munge(hash) | |||||
hash.each_value do |v| | |||||
case v | |||||
when Array | |||||
v.grep(Hash) { |x| deep_munge(x) } | |||||
when Hash | |||||
deep_munge(v) | |||||
end | |||||
end | |||||
keys = hash.keys.find_all { |k| hash[k] == [nil] } | |||||
keys.each { |k| hash[k] = nil } | |||||
hash | |||||
end | |||||
def parse_query(qs) | |||||
deep_munge(super) | |||||
end | |||||
end | |||||
end | end |