mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Sorry, wrong patch applied.
This commit is contained in:
parent
791407d996
commit
d9f037ea1f
1 changed files with 2 additions and 6 deletions
|
@ -528,7 +528,7 @@ Ruby uses a slightly different approach than many other languages to match the e
|
|||
|
||||
<ruby>
|
||||
class File < ActiveRecord::Base
|
||||
validates_format_of :name, :with => /^[\w\.\-\+]+$/ # [1]
|
||||
validates_format_of :name, :with => /^[\w\.\-\+]+$/
|
||||
end
|
||||
</ruby>
|
||||
|
||||
|
@ -541,13 +541,9 @@ file.txt%0A<script>alert('hello')</script>
|
|||
Whereas %0A is a line feed in URL encoding, so Rails automatically converts it to "file.txt\n<script>alert('hello')</script>". This file name passes the filter because the regular expression matches – up to the line end, the rest does not matter. The correct expression should read:
|
||||
|
||||
<ruby>
|
||||
/\A[\w\.\-\+]+\z/ # [2]
|
||||
/\A[\w\.\-\+]+\z/
|
||||
</ruby>
|
||||
|
||||
fn1. Obviously, this regular expression gets rendered incorrectly by Textile. Could the original author please see into this?
|
||||
|
||||
fn2. And this too, please.
|
||||
|
||||
h4. Privilege escalation
|
||||
|
||||
-- _Changing a single parameter may give the user unauthorized access. Remember that every parameter may be changed, no matter how much you hide or obfuscate it._
|
||||
|
|
Loading…
Reference in a new issue