From 310ed05a59dcd51b1d3d64dd26341ec851ed581d Mon Sep 17 00:00:00 2001
From: Sven Schwyn <schwyn@bitcetera.com>
Date: Thu, 4 Oct 2012 10:38:59 +0200
Subject: [PATCH 1/2] Allow parameter filters to match multi-parameter
 attributes (DHH compatible)

---
 lib/action_controller/parameters.rb     |  1 +
 test/multi_parameter_attributes_test.rb | 34 +++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 test/multi_parameter_attributes_test.rb

diff --git a/lib/action_controller/parameters.rb b/lib/action_controller/parameters.rb
index a62a50c..1f86a00 100644
--- a/lib/action_controller/parameters.rb
+++ b/lib/action_controller/parameters.rb
@@ -39,6 +39,7 @@ def permit(*filters)
         case filter
         when Symbol, String then
           params[filter] = self[filter] if has_key?(filter)
+          keys.grep(/^#{filter}\(\w+\)$/).each { |key| params[key] = self[key] }
         when Hash then
           self.slice(*filter.keys).each do |key, value|
             return unless value
diff --git a/test/multi_parameter_attributes_test.rb b/test/multi_parameter_attributes_test.rb
new file mode 100644
index 0000000..7faa4b2
--- /dev/null
+++ b/test/multi_parameter_attributes_test.rb
@@ -0,0 +1,34 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class MultiParameterAttributesTest < ActiveSupport::TestCase
+  test "permitted multi-parameter attribute keys" do
+    params = ActionController::Parameters.new({
+      book: {
+        "shipped_at(1i)" => "2012",
+        "shipped_at(2i)" => "3",
+        "shipped_at(3i)" => "25",
+        "shipped_at(4i)" => "10",
+        "shipped_at(5i)" => "15",
+        "published_at(1i)"   => "1999",
+        "published_at(2i)"   => "2",
+        "published_at(3i)"   => "5"
+      }
+    })
+
+    permitted = params.permit book: [ :shipped_at ]
+
+    assert permitted.permitted?
+
+    assert_equal "2012", permitted[:book]["shipped_at(1i)"]
+    assert_equal "3", permitted[:book]["shipped_at(2i)"]
+    assert_equal "25", permitted[:book]["shipped_at(3i)"]
+    assert_equal "10", permitted[:book]["shipped_at(4i)"]
+    assert_equal "15", permitted[:book]["shipped_at(5i)"]
+
+    assert_nil permitted[:book]["published_at(1i)"]
+    assert_nil permitted[:book]["published_at(2i)"]
+    assert_nil permitted[:book]["published_at(3i)"]
+  end
+end
+

From e05301bded00d9d6085e204acd0e2d87fa49516f Mon Sep 17 00:00:00 2001
From: Sven Schwyn <schwyn@bitcetera.com>
Date: Fri, 5 Oct 2012 08:20:36 +0200
Subject: [PATCH 2/2] Make multi-params attribute regex more restrictive.

---
 lib/action_controller/parameters.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/action_controller/parameters.rb b/lib/action_controller/parameters.rb
index 1f86a00..0d7b29f 100644
--- a/lib/action_controller/parameters.rb
+++ b/lib/action_controller/parameters.rb
@@ -39,7 +39,7 @@ def permit(*filters)
         case filter
         when Symbol, String then
           params[filter] = self[filter] if has_key?(filter)
-          keys.grep(/^#{filter}\(\w+\)$/).each { |key| params[key] = self[key] }
+          keys.grep(/\A#{Regexp.escape(filter)}\(\di\)\z/).each { |key| params[key] = self[key] }
         when Hash then
           self.slice(*filter.keys).each do |key, value|
             return unless value