From 06abbb58a54d822421d661d106b0af1c2b39d450 Mon Sep 17 00:00:00 2001
From: Espartaco Palma <esparta@gmail.com>
Date: Wed, 17 Jun 2020 00:19:09 -0700
Subject: [PATCH] Security patch for Kaminari 1.2.0 not longer needed.

Kaminari released version 1.2.1 fixing CVE-2020-11082, where an attacker
would be able to inject arbitrary code into pages with pagination
links. Proof:

https://github.com/kaminari/kaminari/pull/1020
https://my.diffend.io/gems/kaminari/1.2.0/1.2.1

The changes for Kaminari 1.2.1 makes the patching on the
config/initializer/kaminari_config.rb not longer needed.
---
 Gemfile                                | 2 +-
 Gemfile.lock                           | 2 +-
 config/initializers/kaminari_config.rb | 4 ----
 3 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/Gemfile b/Gemfile
index 9c9be040b64..17dc5536db3 100644
--- a/Gemfile
+++ b/Gemfile
@@ -17,7 +17,7 @@ gem "high_voltage"
 gem "honeybadger"
 gem "http_accept_language"
 gem "jquery-rails"
-gem "kaminari"
+gem "kaminari", "~> 1.2.1"
 gem "mail"
 gem "newrelic_rpm"
 gem "paul_revere", "~> 3.1.0"
diff --git a/Gemfile.lock b/Gemfile.lock
index d68b4c61a9b..792a44b2ab4 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -433,7 +433,7 @@ DEPENDENCIES
   honeybadger
   http_accept_language
   jquery-rails
-  kaminari
+  kaminari (~> 1.2.1)
   launchy
   listen
   lograge
diff --git a/config/initializers/kaminari_config.rb b/config/initializers/kaminari_config.rb
index 0b81f60d7c1..013e5b3cdd7 100644
--- a/config/initializers/kaminari_config.rb
+++ b/config/initializers/kaminari_config.rb
@@ -11,7 +11,3 @@
   # config.param_name = :page
   # config.params_on_first_page = false
 end
-
-module Kaminari::Helpers
-  PARAM_KEY_EXCEPT_LIST = %i[authenticity_token commit utf8 _method script_name original_script_name].freeze
-end