Skip to content

Commit

Permalink
Correctly escape PostgreSQL arrays.
Browse files Browse the repository at this point in the history 
Thanks Godfrey Chan for reporting this!

Fixes: CVE-2014-0080
  • Loading branch information
@tenderlove @rafaelfranca
tenderlove authored and rafaelfranca committed Feb 18, 2014
1 parent 9e2d63d commit 3eaea65
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
6 changes: 5 additions & 1 deletion activerecord/lib/active_record/connection_adapters/postgresql/cast.rb
View file
Expand Up @@ -138,12 +138,16 @@ def escape_hstore(value)
end end
end end


ARRAY_ESCAPE = "\\" * 2 * 2 # escape the backslash twice for PG arrays

def quote_and_escape(value) def quote_and_escape(value)
case value case value
when "NULL" when "NULL"
value value
else else
"\"#{value.gsub(/"/,"\\\"")}\"" value = value.gsub(/\\/, ARRAY_ESCAPE)
value.gsub!(/"/,"\\\"")
"\"#{value}\""
end end
end end
end end
Expand Down
8 changes: 8 additions & 0 deletions activerecord/test/cases/adapters/postgresql/datatype_test.rb
View file
Expand Up @@ -184,6 +184,14 @@ def test_data_type_of_array_types
assert_equal :text, @first_array.column_for_attribute(:nicknames).type assert_equal :text, @first_array.column_for_attribute(:nicknames).type
end end


def test_array_escaping
unknown = %(foo\\",bar,baz,\\)
nicknames = ["hello_#{unknown}"]
ar = PostgresqlArray.create!(nicknames: nicknames, id: 100)
ar.reload
assert_equal nicknames, ar.nicknames
end

def test_data_type_of_range_types def test_data_type_of_range_types
skip "PostgreSQL 9.2 required for range datatypes" unless @connection.supports_ranges? skip "PostgreSQL 9.2 required for range datatypes" unless @connection.supports_ranges?
assert_equal :daterange, @first_range.column_for_attribute(:date_range).type assert_equal :daterange, @first_range.column_for_attribute(:date_range).type
Expand Down

0 comments on commit 3eaea65

Please sign in to comment.