Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge branch '3-2-later' into 3-2-stable

* 3-2-later:
  adding test for CVE
  • Loading branch information...
commit 536f316cd3586e63675e6aba440763b4f0deee9c 2 parents c9bd202 + c35d913
@tenderlove tenderlove authored
Showing with 10 additions and 0 deletions.
  1. +10 −0 activerecord/test/cases/mass_assignment_security_test.rb
View
10 activerecord/test/cases/mass_assignment_security_test.rb
@@ -300,6 +300,16 @@ def test_find_or_create_by_with_admin_role_with_attr_protected_attributes
assert_admin_attributes(p, true)
end
+ def test_attr_protected_with_newline
+ p = LoosePerson.new
+ assert_raises(ActiveRecord::UnknownAttributeError) do
+ p.attributes = {"comments=\n"=>"hax"}
+ end
+ assert_nil p.comments, "Comments is meant to be attr_protected but I assigned it with attributes="
+ p.attributes= {"comments(1)\n" => "hax"}
+ assert_nil p.comments, "Comments is meant to be attr_protected but I assigned it with attributes="
+ end
+
end
Please sign in to comment.
Something went wrong with that request. Please try again.