gaizka/null_param_patch_for_rails_2_series.rb

## null_param_patch_for_rails_2_series.rb
# Adapted patch for CVE-2012-2660 rails vulnerability to Rails 2 versions
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
#
# 1- Drop it at your_app/config/initializers/
# 2- Remember to pass your tests/specs
# 3- Profit!
module ActionController
  class Request < Rack::Request

    alias_method :normalize_parameters_with_null_vulnerability, :normalize_parameters

    # http://my.site/object/4/edit?token[]
    # would have has params:
    # {"token"=>[nil] }
    # This change would turn them into
    # {"token"=> nil }
    # Convert nested Hashs to HashWithIndifferentAccess and replace
    # file upload hashs with UploadedFile objects
    def normalize_parameters(value)
      case value
      when Hash
        if value.has_key?(:tempfile)
          upload = value[:tempfile]
          upload.extend(UploadedFile)
          upload.original_path = value[:filename]
          upload.content_type = value[:type]
          upload
        else
          h = {}
          value.each { |k, v| h[k] = normalize_parameters(v) }
          # Original, vulnerable behaviour
          # h.with_indifferent_access
          # Safe behaviour
          deep_munge(h).with_indifferent_access
        end
      when Array
        value.map { |e| normalize_parameters(e) }
      else
        value
      end
    end

    # Taken from 3-0-null_param.patch
    # Remove nils from the params hash
    def deep_munge(hash)
      hash.each_value do |v|
        case v
        when Array
          v.grep(Hash) { |x| deep_munge(x) }
        when Hash
          deep_munge(v)
        end
      end

      keys = hash.keys.find_all { |k| hash[k] == [nil] }
      keys.each { |k| hash[k] = nil }
      hash
    end

  end
end
	# Adapted patch for CVE-2012-2660 rails vulnerability to Rails 2 versions
	# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
	#
	# 1- Drop it at your_app/config/initializers/
	# 2- Remember to pass your tests/specs
	# 3- Profit!
	module ActionController
	class Request < Rack::Request

	alias_method :normalize_parameters_with_null_vulnerability, :normalize_parameters

	# http://my.site/object/4/edit?token[]
	# would have has params:
	# {"token"=>[nil] }
	# This change would turn them into
	# {"token"=> nil }
	# Convert nested Hashs to HashWithIndifferentAccess and replace
	# file upload hashs with UploadedFile objects
	def normalize_parameters(value)
	case value
	when Hash
	if value.has_key?(:tempfile)
	upload = value[:tempfile]
	upload.extend(UploadedFile)
	upload.original_path = value[:filename]
	upload.content_type = value[:type]
	upload
	else
	h = {}
	value.each { \|k, v\| h[k] = normalize_parameters(v) }
	# Original, vulnerable behaviour
	# h.with_indifferent_access
	# Safe behaviour
	deep_munge(h).with_indifferent_access
	end
	when Array
	value.map { \|e\| normalize_parameters(e) }
	else
	value
	end
	end

	# Taken from 3-0-null_param.patch
	# Remove nils from the params hash
	def deep_munge(hash)
	hash.each_value do \|v\|
	case v
	when Array
	v.grep(Hash) { \|x\| deep_munge(x) }
	when Hash
	deep_munge(v)
	end
	end

	keys = hash.keys.find_all { \|k\| hash[k] == [nil] }
	keys.each { \|k\| hash[k] = nil }
	hash
	end

	end
	end