Correctly escape PostgreSQL arrays.

Thanks Godfrey Chan for reporting this! Fixes: CVE-2014-0080
rails · Feb 18, 2014 · 6256b1d · 6256b1d
1 parent 08d0a11
commit 6256b1d
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb b/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb
@@ -142,12 +142,16 @@ def escape_hstore(value)
             end
           end
 
+          ARRAY_ESCAPE = "\\" * 2 * 2 # escape the backslash twice for PG arrays
+
           def quote_and_escape(value)
             case value
             when "NULL"
               value
             else
-              "\"#{value.gsub(/"/,"\\\"")}\""
+              value = value.gsub(/\\/, ARRAY_ESCAPE)
+              value.gsub!(/"/,"\\\"")
+              "\"#{value}\""
             end
           end
 

diff --git a/activerecord/test/cases/adapters/postgresql/datatype_test.rb b/activerecord/test/cases/adapters/postgresql/datatype_test.rb
@@ -78,6 +78,14 @@ def teardown
      PostgresqlBitString, PostgresqlOid, PostgresqlTimestampWithZone, PostgresqlUUID].each(&:delete_all)
   end
 
+  def test_array_escaping
+    unknown = %(foo\\",bar,baz,\\)
+    nicknames = ["hello_#{unknown}"]
+    ar = PostgresqlArray.create!(nicknames: nicknames, id: 100)
+    ar.reload
+    assert_equal nicknames, ar.nicknames
+  end
+
   def test_data_type_of_array_types
     assert_equal :integer, @first_array.column_for_attribute(:commission_by_quarter).type
     assert_equal :text, @first_array.column_for_attribute(:nicknames).type