Why it’s Bad to Pass OpenStruct (or Object) to Controller from View

I recently ran across an instance where I needed to pass a relatively simple OpenStruct from a view back to the controller via a GET. It was a strange situation where I needed the OpenStruct to populate some tables in the view, but upon a user submit, needed to use that same OpenStruct back in a controller action.

I found a bad way to do it.


Let’s say your open struct is called @my_struct. From the view, a way to pass that struct to a controller action could be as follows:

 <%= link_to "Passing an Open Struct!", my_controller_url(:my_struct=> Marshal.dump(@my_struct)) %>

This will create a link with the text “Passing an Open Struct!” that will send your open struct back to a specified controller action (assume a route has been set up for my_controller). Only thing is, @my_struct has been converted to a byte stream via Marshal.dump. So in the controller action, you’ll need to convert it back to the original OpenStruct. Do do that, see below:

def some_action do
   @my_struct = Marshal.load(params[:my_struct])
   #now you can do stuff with the original @my_struct

This technique would work for any class object.

So, what’s the problem with this??

UNFORTUNATELY, it opens up a huge security hole that could allow a user to pass any object over to the server side controller. VERY  BAD. Well, I live an learn each day. What at first appear to be a good solution to a problem, may ultimately be hugely flawed.

Tagged ,

One thought on “Why it’s Bad to Pass OpenStruct (or Object) to Controller from View

  1. Thanks for sharing! We’ll be sure to pass this along with our community at http://bit.ly/11EJHcd

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: