#84 Fixed http://www.kb.cert.org/vuls/id/380039

lab2023 · Sep 5, 2013 · f8d303d · f8d303d · tayfunoziserikan · Sep 24, 2013
1 parent be7e2aa
commit f8d303d
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/lib/cybele/app_builder.rb b/lib/cybele/app_builder.rb
@@ -23,6 +23,10 @@ def add_ruby_version
       copy_file 'ruby_version', '.ruby_version'
     end
 
+    def add_disable_xml_params
+      copy_file 'config/initializers/disable_xml_params.rb', 'config/initializers/disable_xml_params.rb'
+    end
+
     def replace_application_rb_file
       remove_file 'config/application.rb'
       copy_file 'config/application.rb', 'config/application.rb'

diff --git a/lib/cybele/generators/app_generator.rb b/lib/cybele/generators/app_generator.rb
@@ -20,6 +20,7 @@ def customization
       invoke :customize_gemfile
       invoke :setup_editorconfig
       invoke :setup_ruby_version
+      invoke :setup_add_disable_xml_params
       invoke :setup_database
       invoke :remove_files_we_dont_need
       invoke :replace_files
@@ -52,6 +53,11 @@ def setup_ruby_version
       build :add_ruby_version
     end
 
+    def setup_add_disable_xml_params
+      say 'Add disable_xml_params.rb file to initilizers'
+      build :add_disable_xml_params
+    end
+
     def remove_files_we_dont_need
       say 'Remove files we don\'t need'
       build :remove_readme_rdoc

diff --git a/templates/config/initializers/disable_xml_params.rb b/templates/config/initializers/disable_xml_params.rb
@@ -0,0 +1,3 @@
+# Protect against injection attacks
+# http://www.kb.cert.org/vuls/id/380039
+ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)