Avoid 'Cannot redirect to a parameter hash' error

Rails 4 introduced a [protection against passing parameters hash into `redirect_to`](rails/rails#16170) as a security measure. In some circumstances the `session[:document_filters]` could contain a paramters hash (I suspect this may only be the case for a session which was serialized into someones session cookie in the pre-rails-4 whitehall app and deserialized in this release). Adding this `.to_h` forces the hash to always be converted to a ruby hash. It's safe to pass these parameters to redirect_to because they are all features which are intended to be controlled by user input. The redirect is just a feature to ensure consistency of urls.
alphagov · Feb 18, 2015 · 0bbb477 · 0bbb477 · tekin · Feb 19, 2015
1 parent ec8140e
commit 0bbb477
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/app/controllers/admin/edition_workflow_controller.rb b/app/controllers/admin/edition_workflow_controller.rb
@@ -214,6 +214,6 @@ def action_name_as_human_interaction(action_name)
   end
 
   def session_filters
-    session[:document_filters] || {}
+    (session[:document_filters] || {}).to_h
   end
 end
diff --git a/app/controllers/admin/editions_controller.rb b/app/controllers/admin/editions_controller.rb
@@ -305,7 +305,7 @@ def default_filters
   end
 
   def session_filters
-    session[:document_filters] || {}
+    (session[:document_filters] || {}).to_h
   end
 
   def params_filters