Skip to content
Browse files

Fix issue with attr_protected where malformed input could circumvent

protection

Fixes: CVE-2013-0276

Conflicts:
	activemodel/lib/active_model/attribute_methods.rb
	activerecord/test/cases/mass_assignment_security_test.rb
  • Loading branch information...
1 parent f93d046 commit 2dfd51247fcbfa14eb99ce8fd5537230a36c11f8 @joernchen joernchen committed with tenderlove Feb 9, 2013
View
2 activemodel/lib/active_model/attribute_methods.rb
@@ -347,7 +347,7 @@ class AttributeMethodMatcher
def initialize(options = {})
options.symbolize_keys!
@prefix, @suffix = options[:prefix] || '', options[:suffix] || ''
- @regex = /^(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})$/
+ @regex = /\A(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})\z/
end
def match(method_name)
View
2 activemodel/lib/active_model/mass_assignment_security/permission_set.rb
@@ -17,7 +17,7 @@ def include?(key)
protected
def remove_multiparameter_id(key)
- key.to_s.gsub(/\(.+/, '')
+ key.to_s.gsub(/\(.+/m, '')
end
end

0 comments on commit 2dfd512

Please sign in to comment.
Something went wrong with that request. Please try again.