Deep Munge the parameters for GET and POST

NZKoz · tenderlove · commit d5a4095ca572 · 2013-12-02T14:14:35.000-08:00
The previous implementation of this functionality could be accidentally subverted by instantiating a raw Rack::Request before the first Rails::Request was constructed. Fixes CVE-2013-6417 Conflicts: actionpack/lib/action_dispatch/http/request.rb
diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
@@ -228,13 +228,13 @@ def session_options=(options)
 
     # Override Rack's GET method to support indifferent access
     def GET
-      @env["action_dispatch.request.query_parameters"] ||= (normalize_parameters(super) || {})
+      @env["action_dispatch.request.query_parameters"] ||= deep_munge(normalize_parameters(super) || {})
     end
     alias :query_parameters :GET
 
     # Override Rack's POST method to support indifferent access
     def POST
-      @env["action_dispatch.request.request_parameters"] ||= (normalize_parameters(super) || {})
+      @env["action_dispatch.request.request_parameters"] ||= deep_munge(normalize_parameters(super) || {})
     end
     alias :request_parameters :POST
 
diff --git a/actionpack/test/dispatch/request/query_string_parsing_test.rb b/actionpack/test/dispatch/request/query_string_parsing_test.rb
@@ -11,6 +11,17 @@ def parse
       head :ok
     end
   end
+  class EarlyParse
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      # Trigger a Rack parse so that env caches the query params
+      Rack::Request.new(env).params
+      @app.call(env)
+    end
+  end
 
   def teardown
     TestController.last_query_parameters = nil
@@ -120,6 +131,10 @@ def assert_parses(expected, actual)
         set.draw do
           match ':action', :to => ::QueryStringParsingTest::TestController
         end
+        @app = self.class.build_app(set) do |middleware|
+          middleware.use(EarlyParse)
+        end
+
 
         get "/parse", actual
         assert_response :ok
