Skip to content

Commit

Permalink
Security patch for Kaminari 1.2.0 not longer needed.
Browse files Browse the repository at this point in the history 
Kaminari released version 1.2.1 fixing CVE-2020-11082, where an attacker
would be able to inject arbitrary code into pages with pagination
links. Proof:

kaminari/kaminari#1020
https://my.diffend.io/gems/kaminari/1.2.0/1.2.1

The changes for Kaminari 1.2.1 makes the patching on the
config/initializer/kaminari_config.rb not longer needed.
  • Loading branch information
@esparta
esparta committed Jun 17, 2020
1 parent 97b1703 commit 06abbb5
Show file tree
Hide file tree
Showing 3 changed files with 2 additions and 6 deletions.
2 changes: 1 addition & 1 deletion Gemfile
View file
Expand Up @@ -17,7 +17,7 @@ gem "high_voltage"
gem "honeybadger"
gem "http_accept_language"
gem "jquery-rails"
gem "kaminari"
gem "kaminari", "~> 1.2.1"
gem "mail"
gem "newrelic_rpm"
gem "paul_revere", "~> 3.1.0"
Expand Down
2 changes: 1 addition & 1 deletion Gemfile.lock
View file
Expand Up @@ -433,7 +433,7 @@ DEPENDENCIES
honeybadger
http_accept_language
jquery-rails
kaminari
kaminari (~> 1.2.1)
launchy
listen
lograge
Expand Down
4 changes: 0 additions & 4 deletions config/initializers/kaminari_config.rb
View file
Expand Up @@ -11,7 +11,3 @@
# config.param_name = :page
# config.params_on_first_page = false
end

module Kaminari::Helpers
PARAM_KEY_EXCEPT_LIST = %i[authenticity_token commit utf8 _method script_name original_script_name].freeze
end

0 comments on commit 06abbb5

Please sign in to comment.