We do this because if we dont then people could get just about any class to load just by putting it in the URL. It was suggested that we check whether the class in question is a subclass of controller but by that time its too late since we would have to constantize the classname in order to check if its a subclass. So its a security issue to prevent urls from loading maliscious classes especially when active support is loaded.
I suppose we could make a controller load paths array that your plugin could add to and check all the paths in said array. We just have to be careful about this stuff. On another note, to_const_string has a dos attack vuln in it. If you GET /404 or any URL that starts with a number it sends it into an infinite loop. Since it uses a until loop but only consumes chars if they dont start with a number. Can you add a gaurd to that method to raise an error if any of the string sections start with a digit? Thanks Ezra Zygmuntowicz [EMAIL PROTECTED] 1-530-917-7815 On Sep 17, 2007, at 7:08 AM, Duane Johnson <[EMAIL PROTECTED]> wrote: > I remember having this discussion on IRC before, so Ezra if you could > remind me that would be appreciated: > > Why do we check for the existence of the controller file in (what is > now) Request#controller_class? > > The reason I ask is that I would like to implement some sort of > "Rails engine" like features for gem plugins--in other words, drop in > a gem that has controllers/views etc. and have it just work. In > order to do this, I need the Request#controller_class to return my > gem's controller class (which corresponding file does not exist > inside the standard controller directory). > > Thanks, > Duane Johnson > (canadaduane) > > _______________________________________________ > Merb-devel mailing list > [email protected] > http://rubyforge.org/mailman/listinfo/merb-devel _______________________________________________ Merb-devel mailing list [email protected] http://rubyforge.org/mailman/listinfo/merb-devel
