1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Reset rack.input when the environment is scrubbed for the next request

Before this change, posted parameters would leak across requests. The included
test case failed like so:

      1) Failure:
    TestCaseTest#test_multiple_mixed_method_process_should_scrub_rack_input:
    --- expected
    +++ actual
    @@ -1 +1 @@
    -{"bar"=>"an bar", "controller"=>"test_case_test/test", "action"=>"test_params"}
    +{"foo"=>"an foo", "bar"=>"an bar", "controller"=>"test_case_test/test", "action"=>"test_params"}

An argument could be made that this situation isn't encountered often and that
one should limit the number of requests per test case, but I still think the
parameter leaking is an unexpected side-effect.
This commit is contained in:
Nick Sieger 2016-07-27 11:58:55 -05:00
parent 7e6996a1b3
commit 407583478a
2 changed files with 9 additions and 0 deletions

View file

@ -620,6 +620,7 @@ module ActionController
env.delete_if { |k, v| k =~ /^action_dispatch\.rescue/ } env.delete_if { |k, v| k =~ /^action_dispatch\.rescue/ }
env.delete 'action_dispatch.request.query_parameters' env.delete 'action_dispatch.request.query_parameters'
env.delete 'action_dispatch.request.request_parameters' env.delete 'action_dispatch.request.request_parameters'
env['rack.input'] = StringIO.new
env env
end end

View file

@ -854,6 +854,14 @@ XML
assert_nil cookies['foo'] assert_nil cookies['foo']
end end
def test_multiple_mixed_method_process_should_scrub_rack_input
post :test_params, params: { id: 1, foo: 'an foo' }
assert_equal({"id"=>"1", "foo" => "an foo", "controller"=>"test_case_test/test", "action"=>"test_params"}, ::JSON.parse(@response.body))
get :test_params, params: { bar: 'an bar' }
assert_equal({"bar"=>"an bar", "controller"=>"test_case_test/test", "action"=>"test_params"}, ::JSON.parse(@response.body))
end
%w(controller response request).each do |variable| %w(controller response request).each do |variable|
%w(get post put delete head process).each do |method| %w(get post put delete head process).each do |method|
define_method("test_#{variable}_missing_for_#{method}_raises_error") do define_method("test_#{variable}_missing_for_#{method}_raises_error") do