File CVE-2016-0752.patch of Package rubygem-actionpack-4_2

--- a/actionpack/lib/abstract_controller/rendering.rb   
+++ a/actionpack/lib/abstract_controller/rendering.rb   
@@ -77,7 +77,13 @@ module AbstractController
     # render "foo/bar" to render :file => "foo/bar".
     # :api: plugin
     def _normalize_args(action=nil, options={})
-      if action.is_a? Hash
+      case action
+      when ActionController::Parameters
+        unless action.permitted?
+          raise ArgumentError, "render parameters are not permitted"
+        end
+        action
+      when Hash
         action
       else
         options

Places

File CVE-2016-0752.patch of Package rubygem-actionpack-4_2

Places