nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix include_root_in_json misuse

Browse source 
since it is no longer exposed for instances, our post_presenter failed
hard.
This commit is contained in:
Dennis Schubert 2016-01-26 15:18:02 +01:00
parent 72fe5a79c2
commit ad20bb052c
3 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Changelog.md
View file

@ -1,5 +1,8 @@
# 0.5.6.3 # 0.5.6.3
Fix evil regression caused by Active Model no longer exposing
`include_root_in_json` in instances.
# 0.5.6.2 # 0.5.6.2
* Fix [CVE-2016-0751](https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc) - Possible Object Leak and Denial of Service attack in Action Pack * Fix [CVE-2016-0751](https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc) - Possible Object Leak and Denial of Service attack in Action Pack

2
app/models/post.rb
View file

@ -3,6 +3,8 @@
# the COPYRIGHT file. # the COPYRIGHT file.
class Post < ActiveRecord::Base class Post < ActiveRecord::Base
self.include_root_in_json = false
include ApplicationHelper include ApplicationHelper
include Diaspora::Federated::Shareable include Diaspora::Federated::Shareable

1
app/presenters/post_presenter.rb
View file

@ -9,7 +9,6 @@ class PostPresenter < BasePresenter
end end
def as_json(_options={}) def as_json(_options={})
@post.include_root_in_json = false
@post.as_json(only: directly_retrieved_attributes).merge(non_directly_retrieved_attributes) @post.as_json(only: directly_retrieved_attributes).merge(non_directly_retrieved_attributes)
end end