Rails 5.0.0.beta1 - 从未净化的请求参数生成 URL 是不安全的

本文介绍了Rails 5.0.0.beta1 - 从未净化的请求参数生成 URL 是不安全的的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我们正在从 Rails 4.2.5 升级到 5.0.0.beta1

在测试时，我们希望看到索引视图像以前一样使用分页链接呈现.但是我们现在得到一个 ArgumentError 错误页面，例如:

事务中的参数错误#index/app/views/kaminari/_paginator.html.erb 其中第 10 行提出:从未净化的请求参数生成 URL 是不安全的！应用程序跟踪 |框架跟踪 |完整跟踪应用程序/视图/雷/_paginator.html.erb:10:在_app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060' 块应用/视图/雷/_paginator.html.erb:9:in_app_views_kaminari__paginator_html_erb ___ 4026289994022119719_69904100316060'app/views/transactions/index.html.erb:2:在`_app_views_transactions_index_html_erb__422882858554400818_60602560'

将此添加到 config/application.rb 可以修复"它，但不是一个好主意:

config.action_controller.permit_all_parameters = true

添加这个并不能解决问题，不知道为什么:

config.action_controller.always_permitted_parameters = [:current_page, :page, :total_pages, :per_page, :remote, :paginator]

解决方案

这似乎已在 github master 分支中修复，因此现在在您的 gem 文件中指定:

gem 'kaminari', :git =>"git://github.com/amatsuda/kaminari.git", :branch =>'掌握'

We are upgrading from Rails 4.2.5 to 5.0.0.beta1

When testing we expected to see index views rendered with paginated links as before.But we now get an ArgumentError error page, for example:

ArgumentError in Transactions#index
/app/views/kaminari/_paginator.html.erb where line #10 raised:


<%= paginator.render do -%>

Generating an URL from non sanitized request parameters is insecure!

Application Trace | Framework Trace | Full Trace

app/views/kaminari/_paginator.html.erb:10:in block in _app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060' app/views/kaminari/_paginator.html.erb:9:in_app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060'
app/views/transactions/index.html.erb:2:in `_app_views_transactions_index_html_erb__422882858554400818_60602560'

An issue has been raised with kaminari

On further investigation here is the new Rails 5.0.0.beta1 code that now throws the error:

Adding this to config/application.rb 'fixes' it, but not a great idea:

config.action_controller.permit_all_parameters = true

Instead adding this does not fix the issue, not sure why:

config.action_controller.always_permitted_parameters =  [:current_page, :page, :total_pages, :per_page, :remote, :paginator]

解决方案

This appears to be fixed in the github master branch, so for now in your gem file specify:

gem 'kaminari', :git => "git://github.com/amatsuda/kaminari.git", :branch => 'master'

这篇关于Rails 5.0.0.beta1 - 从未净化的请求参数生成 URL 是不安全的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！