We do this because if we dont then people could get just about any
class to load just by putting it in the URL. It was suggested that we
check whether the class in question is a subclass of controller but by
that time its too late since we would have to constantize the
classname in order to check if its a subclass. So its a security issue
to prevent urls from loading maliscious classes especially when active
support is loaded.
I suppose we could make a controller load paths array that your plugin
could add to and check all the paths in said array. We just have to be
careful about this stuff.
On another note, to_const_string has a dos attack vuln in it. If you
GET /404 or any URL that starts with a number it sends it into an
infinite loop. Since it uses a until loop but only consumes chars if
they dont start with a number. Can you add a gaurd to that method to
raise an error if any of the string sections start with a digit?
Thanks
Ezra Zygmuntowicz
ez at engineyard.com
1-530-917-7815
On Sep 17, 2007, at 7:08 AM, Duane Johnson <canadaduane at gmail.com>
wrote:
> I remember having this discussion on IRC before, so Ezra if you could
> remind me that would be appreciated:
>
> Why do we check for the existence of the controller file in (what is
> now) Request#controller_class?
>
> The reason I ask is that I would like to implement some sort of
> "Rails engine" like features for gem plugins--in other words,
drop in
> a gem that has controllers/views etc. and have it just work. In
> order to do this, I need the Request#controller_class to return my
> gem''s controller class (which corresponding file does not exist
> inside the standard controller directory).
>
> Thanks,
> Duane Johnson
> (canadaduane)
>
> _______________________________________________
> Merb-devel mailing list
> Merb-devel at rubyforge.org
> http://rubyforge.org/mailman/listinfo/merb-devel