Permalink
Browse files

Correctly escape PostgreSQL arrays.

Thanks Godfrey Chan for reporting this!

Fixes: CVE-2014-0080
  • Loading branch information...
1 parent 08d0a11 commit 6256b1de9a2d968b0d123ad6a09b33de01019ae6 @tenderlove tenderlove committed with rafaelfranca Feb 13, 2014
@@ -142,12 +142,16 @@ def escape_hstore(value)
end
end
+ ARRAY_ESCAPE = "\\" * 2 * 2 # escape the backslash twice for PG arrays
+
def quote_and_escape(value)
case value
when "NULL"
value
else
- "\"#{value.gsub(/"/,"\\\"")}\""
+ value = value.gsub(/\\/, ARRAY_ESCAPE)
+ value.gsub!(/"/,"\\\"")
+ "\"#{value}\""
end
end
@@ -78,6 +78,14 @@ def teardown
PostgresqlBitString, PostgresqlOid, PostgresqlTimestampWithZone, PostgresqlUUID].each(&:delete_all)
end
+ def test_array_escaping
+ unknown = %(foo\\",bar,baz,\\)
+ nicknames = ["hello_#{unknown}"]
+ ar = PostgresqlArray.create!(nicknames: nicknames, id: 100)
+ ar.reload
+ assert_equal nicknames, ar.nicknames
+ end
+
def test_data_type_of_array_types
assert_equal :integer, @first_array.column_for_attribute(:commission_by_quarter).type
assert_equal :text, @first_array.column_for_attribute(:nicknames).type

0 comments on commit 6256b1d

Please sign in to comment.