mirror of https://github.com/rails/rails
Rescue Rack::QueryParser::ParamsTooDeepError in HTTP request.
- render HTTP 400 - needs Rack 2.2.4+
This commit is contained in:
parent
e4990eec1c
commit
b0fdca4fbc
|
@ -39,7 +39,7 @@ PATH
|
|||
actionpack (7.1.0.alpha)
|
||||
actionview (= 7.1.0.alpha)
|
||||
activesupport (= 7.1.0.alpha)
|
||||
rack (~> 2.0, >= 2.2.0)
|
||||
rack (~> 2.0, >= 2.2.4)
|
||||
rack-test (>= 0.6.3)
|
||||
rails-dom-testing (~> 2.0)
|
||||
rails-html-sanitizer (~> 1.0, >= 1.2.0)
|
||||
|
@ -380,7 +380,7 @@ GEM
|
|||
pg (>= 1.1, < 2.0)
|
||||
raabro (1.4.0)
|
||||
racc (1.6.0)
|
||||
rack (2.2.3)
|
||||
rack (2.2.4)
|
||||
rack-cache (1.13.0)
|
||||
rack (>= 0.4)
|
||||
rack-protection (2.1.0)
|
||||
|
|
|
@ -35,7 +35,7 @@ Gem::Specification.new do |s|
|
|||
|
||||
s.add_dependency "activesupport", version
|
||||
|
||||
s.add_dependency "rack", "~> 2.0", ">= 2.2.0"
|
||||
s.add_dependency "rack", "~> 2.0", ">= 2.2.4"
|
||||
s.add_dependency "rack-test", ">= 0.6.3"
|
||||
s.add_dependency "rails-html-sanitizer", "~> 1.0", ">= 1.2.0"
|
||||
s.add_dependency "rails-dom-testing", "~> 2.0"
|
||||
|
|
|
@ -391,7 +391,7 @@ module ActionDispatch
|
|||
Request::Utils.check_param_encoding(rack_query_params)
|
||||
set_header k, Request::Utils.normalize_encode_params(rack_query_params)
|
||||
end
|
||||
rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
|
||||
rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError => e
|
||||
raise ActionController::BadRequest.new("Invalid query parameters: #{e.message}")
|
||||
end
|
||||
alias :query_parameters :GET
|
||||
|
@ -406,7 +406,7 @@ module ActionDispatch
|
|||
Request::Utils.check_param_encoding(pr)
|
||||
self.request_parameters = Request::Utils.normalize_encode_params(pr)
|
||||
end
|
||||
rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, EOFError => e
|
||||
rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError, EOFError => e
|
||||
raise ActionController::BadRequest.new("Invalid request parameters: #{e.message}")
|
||||
end
|
||||
alias :request_parameters :POST
|
||||
|
|
|
@ -201,6 +201,25 @@ module ApplicationTests
|
|||
assert_match "Invalid query parameters", last_response.body
|
||||
end
|
||||
|
||||
test "displays diagnostics message when too deep query parameters are provided" do
|
||||
controller :foo, <<-RUBY
|
||||
class FooController < ActionController::Base
|
||||
def index
|
||||
end
|
||||
end
|
||||
RUBY
|
||||
|
||||
app.config.action_dispatch.show_exceptions = true
|
||||
app.config.consider_all_requests_local = true
|
||||
|
||||
limit = Rack::Utils.param_depth_limit + 1
|
||||
malicious_url = "/foo?#{'[test]' * limit}=test"
|
||||
|
||||
get malicious_url
|
||||
assert_equal 400, last_response.status
|
||||
assert_match "Invalid query parameters", last_response.body
|
||||
end
|
||||
|
||||
test "displays statement invalid template correctly" do
|
||||
controller :foo, <<-RUBY
|
||||
class FooController < ActionController::Base
|
||||
|
|
Loading…
Reference in New Issue