Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Fix nil array sql vulnerability (CVE-2012-2660 + CVE-2012-2694) #1

Closed
wants to merge 3 commits into from

1 participant

Justin
Justin
Owner

When normalizing parameters, also check for [nil].

Intended to fix CVE-2012-2660 and CVE-2012-2694

Justin
Owner

Also added potential fix for CVE-2012-2694, where the query parameter array values might have nil and other values.

Justin presidentbeef closed this October 06, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
6  actionpack/lib/action_controller/request.rb
@@ -486,7 +486,11 @@ def normalize_parameters(value)
486 486
             h.with_indifferent_access
487 487
           end
488 488
         when Array
489  
-          value.map { |e| normalize_parameters(e) }
  489
+          if value.length == 1 and value[0] == nil
  490
+            value = nil
  491
+          else
  492
+            value.map { |e| normalize_parameters(e) }.compact
  493
+          end
490 494
         else
491 495
           value
492 496
         end
15  actionpack/test/controller/request/query_string_parsing_test.rb
@@ -105,6 +105,21 @@ def teardown
105 105
     )
106 106
   end
107 107
 
  108
+  #These tests are copied directly from the official patch
  109
+  test "nested query with nil arrays" do
  110
+    assert_parses({"action" => nil}, "action")
  111
+    assert_parses({"action" => {"foo" => nil}}, "action[foo]")
  112
+    assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar]")
  113
+    assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar][]")
  114
+    assert_parses({"action" => {"foo" => nil}}, "action[foo][]")
  115
+    assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]")
  116
+  end
  117
+
  118
+  test "remove nils from query parameter arrays" do
  119
+    assert_parses({"action" => ['1']}, "action[]=1&action[]")
  120
+    assert_parses({"action" => ['1', '2']}, "action[]=1&action[]&action[]=2")
  121
+  end
  122
+
108 123
   private
109 124
     def assert_parses(expected, actual)
110 125
       with_routing do |set|
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.