Rails 5.0.0.beta1 - Generating an URL from non sanitized request parameters is insecure

与世无争的帅哥 提交于 2019-12-06 17:13:21

问题


We are upgrading from Rails 4.2.5 to 5.0.0.beta1

When testing we expected to see index views rendered with paginated links as before. But we now get an ArgumentError error page, for example:

ArgumentError in Transactions#index 
/app/views/kaminari/_paginator.html.erb where line #10 raised:


<%= paginator.render do -%>

Generating an URL from non sanitized request parameters is insecure!

Application Trace | Framework Trace | Full Trace

app/views/kaminari/_paginator.html.erb:10:in block in _app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060' app/views/kaminari/_paginator.html.erb:9:in_app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060'
app/views/transactions/index.html.erb:2:in `_app_views_transactions_index_html_erb__422882858554400818_60602560'

An issue has been raised with kaminari

On further investigation here is the new Rails 5.0.0.beta1 code that now throws the error:

Adding this to config/application.rb 'fixes' it, but not a great idea:

config.action_controller.permit_all_parameters = true

Instead adding this does not fix the issue, not sure why:

config.action_controller.always_permitted_parameters =  [:current_page, :page, :total_pages, :per_page, :remote, :paginator]

回答1:


This appears to be fixed in the github master branch, so for now in your gem file specify:

gem 'kaminari', :git => "git://github.com/amatsuda/kaminari.git", :branch => 'master'


来源:https://stackoverflow.com/questions/34413971/rails-5-0-0-beta1-generating-an-url-from-non-sanitized-request-parameters-is-i

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!