The Ruby Railroad

I recently ran across an instance where I needed to pass a relatively simple OpenStruct from a view back to the controller via a GET. It was a strange situation where I needed the OpenStruct to populate some tables in the view, but upon a user submit, needed to use that same OpenStruct back in a controller action.

I found a bad way to do it.

Let’s say your open struct is called @my_struct. From the view, a way to pass that struct to a controller action could be as follows:

 <%= link_to "Passing an Open Struct!", my_controller_url(:my_struct=> Marshal.dump(@my_struct)) %>

This will create a link with the text “Passing an Open Struct!” that will send your open struct back to a specified controller action (assume a route has been set up for my_controller). Only thing is, @my_struct has been converted to a byte stream via Marshal.dump. So in the controller action, you’ll need to convert it back to the original OpenStruct. Do do that, see below:

def some_action do
   @my_struct = Marshal.load(params[:my_struct])
   #now you can do stuff with the original @my_struct
end

This technique would work for any class object.

So, what’s the problem with this??

UNFORTUNATELY, it opens up a huge security hole that could allow a user to pass any object over to the server side controller. VERY  BAD. Well, I live an learn each day. What at first appear to be a good solution to a problem, may ultimately be hugely flawed.