Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Additional fix for CVE-2012-2661

While the patched PredicateBuilder in 3.1.5 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
  • Loading branch information...
commit 8355abf153615a717c0d0e4a58b2bfca39b35025 1 parent a1a71ab
Ernie Miller ernie authored tenderlove committed
6 activerecord/lib/active_record/relation/predicate_builder.rb
View
@@ -1,16 +1,16 @@
module ActiveRecord
class PredicateBuilder # :nodoc:
- def self.build_from_hash(engine, attributes, default_table, check_column = true)
+ def self.build_from_hash(engine, attributes, default_table, allow_table_name = true)
predicates = attributes.map do |column, value|
table = default_table
- if value.is_a?(Hash)
+ if allow_table_name && value.is_a?(Hash)
table = Arel::Table.new(column, engine)
build_from_hash(engine, value, table, false)
else
column = column.to_s
- if check_column && column.include?('.')
+ if allow_table_name && column.include?('.')
table_name, column = column.split('.', 2)
table = Arel::Table.new(table_name, engine)
end
6 activerecord/test/cases/relation/where_test.rb
View
@@ -11,6 +11,12 @@ def test_where_error
end
end
+ def test_where_error_with_hash
+ assert_raises(ActiveRecord::StatementInvalid) do
+ Post.where(:id => { :posts => {:author_id => 10} }).first
+ end
+ end
+
def test_where_with_table_name
post = Post.first
assert_equal post, Post.where(:posts => { 'id' => post.id }).first
Please sign in to comment.
Something went wrong with that request. Please try again.