Permalink
Browse files

Fix issue with attr_protected where malformed input could circumvent

protection

Fixes: CVE-2013-0276
  • Loading branch information...
joernchen authored and tenderlove committed Feb 9, 2013
1 parent 2f0ff75 commit 060bb7250b963609a0d8a5d0559e36b99d2402c6
@@ -365,7 +365,7 @@ def initialize(options = {})
end
@prefix, @suffix = options[:prefix] || '', options[:suffix] || ''
- @regex = /^(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})$/
+ @regex = /\A(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})\z/
@method_missing_target = "#{@prefix}attribute#{@suffix}"
@method_name = "#{prefix}%s#{suffix}"
end
@@ -19,7 +19,7 @@ def deny?(key)
protected
def remove_multiparameter_id(key)
- key.to_s.gsub(/\(.+/, '')
+ key.to_s.gsub(/\(.+/m, '')
end
end

0 comments on commit 060bb72

Please sign in to comment.