On May 13, 11:04 pm, egervari <[email protected]> wrote: > > So can you reduce it to minimal example (ie what is the one other test > > it needs to run with in order to fail) ? > > > Also I think your code has a security weakness - some one could set up > > params such that params[:page] had the value :inline => "<%= > > system('rm -rf /') %> > > > Fred > > Well, the test is pretty minimal as it is. I don't know how to > simplify it further. The first 'show' test works, but I included it so > you know what the intention was. The second test is the one that fails > - it cannot find the /public/404 page. >
I meant the fact that it fails only when you run the whole test suite - can you narrow it down to "it fails when run at the same time as test x? > I wasn't aware of this security vulnerability though. How can I write > the controller in the same way without the security problem? I don't > want to make a bunch of static actions for 20 different static pages :( Well you'd probably be ok if you made sure that params[:page] was a string. Also, as long as the route exists and there is a pages controller, / pages/tour would render app/views/pages/tour.erb (or whatever sort of template was there) Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
