mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Properly escape glob characters.
This commit is contained in:
parent
bfc432574d
commit
5f94b93279
3 changed files with 27 additions and 3 deletions
|
@ -142,8 +142,12 @@ module ActionView
|
|||
# Helper for building query glob string based on resolver's pattern.
|
||||
def build_query(path, details)
|
||||
query = @pattern.dup
|
||||
query.gsub!(/\:prefix(\/)?/, path.prefix.empty? ? "" : "#{path.prefix}\\1") # prefix can be empty...
|
||||
query.gsub!(/\:action/, path.partial? ? "_#{path.name}" : path.name)
|
||||
|
||||
prefix = path.prefix.empty? ? "" : "#{escape_entry(path.prefix)}\\1"
|
||||
query.gsub!(/\:prefix(\/)?/, prefix)
|
||||
|
||||
partial = escape_entry(path.partial? ? "_#{path.name}" : path.name)
|
||||
query.gsub!(/\:action/, partial)
|
||||
|
||||
details.each do |ext, variants|
|
||||
query.gsub!(/\:#{ext}/, "{#{variants.compact.uniq.join(',')}}")
|
||||
|
@ -152,6 +156,10 @@ module ActionView
|
|||
File.expand_path(query, @path)
|
||||
end
|
||||
|
||||
def escape_entry(entry)
|
||||
entry.gsub(/(\*|\[|\]|\{|\}|\?)/, "\\\\\\1")
|
||||
end
|
||||
|
||||
# Returns the file mtime from the filesystem.
|
||||
def mtime(p)
|
||||
File.mtime(p)
|
||||
|
@ -228,8 +236,9 @@ module ActionView
|
|||
class OptimizedFileSystemResolver < FileSystemResolver #:nodoc:
|
||||
def build_query(path, details)
|
||||
exts = EXTENSIONS.map { |ext| details[ext] }
|
||||
query = escape_entry(File.join(@path, path))
|
||||
|
||||
File.join(@path, path) + exts.map { |ext|
|
||||
query + exts.map { |ext|
|
||||
"{#{ext.compact.uniq.map { |e| ".#{e}," }.join}}"
|
||||
}.join
|
||||
end
|
||||
|
|
|
@ -405,6 +405,14 @@ class TestController < ActionController::Base
|
|||
render :template => "test/hello_world"
|
||||
end
|
||||
|
||||
def render_with_explicit_unescaped_template
|
||||
render :template => "test/h*llo_world"
|
||||
end
|
||||
|
||||
def render_with_explicit_escaped_template
|
||||
render :template => "test/hello_w*rld"
|
||||
end
|
||||
|
||||
def render_with_explicit_string_template
|
||||
render "test/hello_world"
|
||||
end
|
||||
|
@ -1057,6 +1065,12 @@ class RenderTest < ActionController::TestCase
|
|||
assert_response :success
|
||||
end
|
||||
|
||||
def test_render_with_explicit_unescaped_template
|
||||
assert_raise(ActionView::MissingTemplate) { get :render_with_explicit_unescaped_template }
|
||||
get :render_with_explicit_escaped_template
|
||||
assert_equal "Hello w*rld!", @response.body
|
||||
end
|
||||
|
||||
def test_render_with_explicit_string_template
|
||||
get :render_with_explicit_string_template
|
||||
assert_equal "<html>Hello world!</html>", @response.body
|
||||
|
|
1
actionpack/test/fixtures/test/hello_w*rld.erb
vendored
Normal file
1
actionpack/test/fixtures/test/hello_w*rld.erb
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
Hello w*rld!
|
Loading…
Reference in a new issue