Rails 5.0.0.beta1 - 从未净化的请求参数生成 URL 是不安全的
Rails 5.0.0.beta1 - Generating an URL from non sanitized request parameters is insecure
我们正在从 Rails 4.2.5 升级到 5.0.0.beta1
在测试时,我们希望看到像以前一样使用分页链接呈现的索引视图。
但是我们现在得到一个ArgumentError错误页面,例如:
ArgumentError in Transactions#index
/app/views/kaminari/_paginator.html.erb where line #10 raised:
<%= paginator.render do -%>
Generating an URL from non sanitized request parameters is insecure!
Application Trace | Framework Trace | Full Trace
app/views/kaminari/_paginator.html.erb:10:in block in _app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060' app/views/kaminari/_paginator.html.erb:9:in_app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060'
app/views/transactions/index.html.erb:2:in `_app_views_transactions_index_html_erb__422882858554400818_60602560'
提出了一个问题
进一步调查 这里是新的 Rails 5.0.0.beta1 代码现在抛出错误:
将此添加到 config/application.rb 'fixes' 它,但不是一个好主意:
config.action_controller.permit_all_parameters = true
添加这个并不能解决问题,不知道为什么:
config.action_controller.always_permitted_parameters = [:current_page, :page, :total_pages, :per_page, :remote, :paginator]
这似乎已在 github master 分支中修复,因此现在在您的 gem 文件中指定:
gem 'kaminari', :git => "git://github.com/amatsuda/kaminari.git", :branch => 'master'
我们正在从 Rails 4.2.5 升级到 5.0.0.beta1
在测试时,我们希望看到像以前一样使用分页链接呈现的索引视图。 但是我们现在得到一个ArgumentError错误页面,例如:
ArgumentError in Transactions#index
/app/views/kaminari/_paginator.html.erb where line #10 raised:
<%= paginator.render do -%>
Generating an URL from non sanitized request parameters is insecure!
Application Trace | Framework Trace | Full Trace
app/views/kaminari/_paginator.html.erb:10:in block in _app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060' app/views/kaminari/_paginator.html.erb:9:in_app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060'
app/views/transactions/index.html.erb:2:in `_app_views_transactions_index_html_erb__422882858554400818_60602560'
进一步调查 这里是新的 Rails 5.0.0.beta1 代码现在抛出错误:
将此添加到 config/application.rb 'fixes' 它,但不是一个好主意:
config.action_controller.permit_all_parameters = true
添加这个并不能解决问题,不知道为什么:
config.action_controller.always_permitted_parameters = [:current_page, :page, :total_pages, :per_page, :remote, :paginator]
这似乎已在 github master 分支中修复,因此现在在您的 gem 文件中指定:
gem 'kaminari', :git => "git://github.com/amatsuda/kaminari.git", :branch => 'master'