prevent tampering with host, port, protocol

Prevents :host, :port, :protocol settings get inherited from GET query parameters. Fixes #285
mislav · Sep 18, 2013 · c62c6f6 · c62c6f6 · jordimassaguerpla · Jan 9, 2014
1 parent a213b7e
commit c62c6f6
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/lib/will_paginate/view_helpers/action_view.rb b/lib/will_paginate/view_helpers/action_view.rb
@@ -106,6 +106,7 @@ def default_url_params
  def url(page)
  @base_url_params ||= begin
  url_params = merge_get_params(default_url_params)
+ url_params[:only_path] = true
  merge_optional_params(url_params)
  end
 

diff --git a/spec/view_helpers/action_view_spec.rb b/spec/view_helpers/action_view_spec.rb
@@ -189,6 +189,15 @@ def renderer.gap() '<span class="my-gap">~~</span>' end
  paginate
  assert_links_match /foo\[bar\]=baz/
  end
+
+ it "doesn't allow tampering with host, port, protocol" do
+ request.params :host => 'disney.com', :port => '99', :protocol => 'ftp'
+ paginate
+ assert_links_match %r{^/foo/bar}
+ assert_no_links_match /disney/
+ assert_no_links_match /99/
+ assert_no_links_match /ftp/
+ end
 
  it "should not preserve parameters on POST" do
  request.post
@@ -328,16 +337,16 @@ class << helper
  include Routes.url_helpers
  include WillPaginate::ActionView
  end
- helper.default_url_options[:host] = 'example.com'
- helper.default_url_options[:controller] = 'dummy'
- # helper.default_url_options[:only_path] = true
+ helper.default_url_options.update \
+  :only_path => true,
+  :controller => 'dummy'
 
  collection = WillPaginate::Collection.new(2, 1, 3)
  @render_output = helper.will_paginate(collection)
 
  assert_select 'a[href]', 4 do |links|
  urls = links.map {|l| l['href'] }.uniq
- urls.should == ['http://example.com/dummy/page/1', 'http://example.com/dummy/page/3']
+ urls.should == ['/dummy/page/1', '/dummy/page/3']
  end
  end