This post originated from an RSS feed registered with Ruby Buzz by Jeremy Voorhis. Original Post: Ruby Injection? Feed Title: JVoorhis Feed URL: http://feeds.feedburner.com/jvoorhis Feed Description: JVoorhis is a Rubyist in northeast Ohio. He rambles about Ruby on Rails, development practices, other frameworks such as Django, and on other days he is just full of snark. Latest Ruby Buzz Posts Latest Ruby Buzz Posts by Jeremy Voorhis Latest Posts From JVoorhis

While digging through the Rails generator source, I discovered how the locals hash works. For example:

<%= render :partial => 'search', locals => { :advanced => true } %>

This assigns advanced as a local variable in a partial named _search.rhtml. What I never quite realized is that this functionalty was implemented with string eval!

The ActionView code is a little more complex, but RailsGenerator has a more compact implementation of the same behavior, and it looks like this:

vars = template_options[:assigns] || {}
b = binding
vars.each { |k,v| eval "#{k} = vars[:#{k}] || vars['#{k}']", b }

# Render the source file with the temporary binding.
ERB.new(file.read, nil, '-').result(b)

So what happens if I do this?

<%= render :partial => 'search', locals => { :"Page.destroy_all #" => true } %>

I know, I know, templates are in the domain of the developer and great care should be taken as to what data is allowed to pass through them, but yikes!