Merge branch '3-2-sec' into 3-2-secmerge

* 3-2-sec: CVE-2012-5664 options hashes should only be extracted if there are extra parameters updating changelog updating the changelogs updating the changelog for the CVE Add release date of Rails 3.2.9 to documentation Conflicts: actionmailer/CHANGELOG.md actionpack/CHANGELOG.md activemodel/CHANGELOG.md activerecord/CHANGELOG.md activeresource/CHANGELOG.md activesupport/CHANGELOG.md railties/CHANGELOG.md
rails · Dec 23, 2012 · 2aa70bd · 2aa70bd
2 parents 885f59f + 325669f
commit 2aa70bd
Show file tree

Hide file tree

Showing 9 changed files with 47 additions and 6 deletions.
diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
@@ -1,4 +1,8 @@
-## Rails 3.2.10 (unreleased) ##
+## Rails 3.2.11 (unreleased) ##
+
+## Rails 3.2.10 ##
+
+## Rails 3.2.9 (Nov 12, 2012) ##
 
 *   The return value from mailer methods is no longer relevant. This fixes a bug,
     which was introduced with 3.2.9.

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,4 +1,4 @@
-## Rails 3.2.10 (unreleased) ##
+## Rails 3.2.11 (unreleased) ##
 
 *   Clear url helper methods when routes are reloaded by removing the methods
     explicitly rather than just clearing the module because it didn't work
@@ -72,6 +72,8 @@
 
     *Daniel Fox, Grant Hutchins & Trace Wax*
 
+## Rails 3.2.10 ##
+
 ## Rails 3.2.9 (Nov 12, 2012) ##
 
 *   Clear url helpers when reloading routes.

diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
@@ -1,7 +1,8 @@
-## Rails 3.2.10 (unreleased) ##
+## Rails 3.2.11 (unreleased) ##
 
 *   Specify type of singular association during serialization *Steve Klabnik*
 
+## Rails 3.2.10 ##
 
 ## Rails 3.2.9 (Nov 12, 2012) ##
 

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
@@ -1,4 +1,4 @@
-## Rails 3.2.10 (unreleased)
+## Rails 3.2.11 (unreleased)
 
 *   Serialized attributes can be serialized in integer columns.
     Fix #8575.
@@ -180,6 +180,13 @@
 
     *Alexis Bernard*
 
+## Rails 3.2.10 ##
+
+*   CVE-2012-5664 options hashes should only be extracted if there are extra
+    parameters
+
+## Rails 3.2.9 (Nov 12, 2012) ##
+
 *   Fix issue with collection associations calling first(n)/last(n) and attempting
     to set the inverse association when `:inverse_of` was used. Fixes #8087.
 

diff --git a/activerecord/lib/active_record/dynamic_matchers.rb b/activerecord/lib/active_record/dynamic_matchers.rb
@@ -40,7 +40,12 @@ def self.#{method_id}(*args)                                    # def self.scope
           METHOD
           send(method_id, *arguments)
         elsif match.finder?
-          options = arguments.extract_options!
+          options = if arguments.length > attribute_names.size
+                      arguments.extract_options!
+                    else
+                      {}
+                    end
+
           relation = options.any? ? scoped(options) : scoped
           relation.send :find_by_attributes, match, attribute_names, *arguments, &block
         elsif match.instantiator?

diff --git a/activerecord/test/cases/finder_test.rb b/activerecord/test/cases/finder_test.rb
@@ -15,6 +15,18 @@
 class FinderTest < ActiveRecord::TestCase
   fixtures :companies, :topics, :entrants, :developers, :developers_projects, :posts, :comments, :accounts, :authors, :customers, :categories, :categorizations
 
+  def test_find_by_id_with_hash
+    assert_raises(ActiveRecord::StatementInvalid) do
+      Post.find_by_id(:limit => 1)
+    end
+  end
+
+  def test_find_by_title_and_id_with_hash
+    assert_raises(ActiveRecord::StatementInvalid) do
+      Post.find_by_title_and_id('foo', :limit => 1)
+    end
+  end
+
   def test_find
     assert_equal(topics(:first).title, Topic.find(1).title)
   end

diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.2.11 ##
+
+## Rails 3.2.10 ##
+
 ## Rails 3.2.9 (Nov 12, 2012) ##
 
 *   No changes.

diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
@@ -1,4 +1,4 @@
-## Rails 3.2.10 (unreleased)
+## Rails 3.2.11 (unreleased)
 
 *   Remove surrogate unicode character encoding from ActiveSupport::JSON.encode
     The encoding scheme was broken for unicode characters outside the basic
@@ -19,6 +19,8 @@
 
     *Daniele Sluijters*
 
+## Rails 3.2.10 ##
+
 ## Rails 3.2.9 (Nov 12, 2012) ##
 
 *   Add logger.push_tags and .pop_tags to complement logger.tagged:

diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.2.11 ##
+
+## Rails 3.2.10 ##
+
 ## Rails 3.2.9 (Nov 12, 2012) ##
 
 *   Engines with a dummy app include the rake tasks of dependencies in the app namespace. [Backport: #8262]