Skip to content
This repository
Browse code

Additional fix for CVE-2012-2661

While the patched PredicateBuilder in 3.1.5 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
  • Loading branch information...
commit 8355abf153615a717c0d0e4a58b2bfca39b35025 1 parent a1a71ab
Ernie Miller authored June 08, 2012 tenderlove committed June 08, 2012
6  activerecord/lib/active_record/relation/predicate_builder.rb
... ...
@@ -1,16 +1,16 @@
1 1
 module ActiveRecord
2 2
   class PredicateBuilder # :nodoc:
3  
-    def self.build_from_hash(engine, attributes, default_table, check_column = true)
  3
+    def self.build_from_hash(engine, attributes, default_table, allow_table_name = true)
4 4
       predicates = attributes.map do |column, value|
5 5
         table = default_table
6 6
 
7  
-        if value.is_a?(Hash)
  7
+        if allow_table_name && value.is_a?(Hash)
8 8
           table = Arel::Table.new(column, engine)
9 9
           build_from_hash(engine, value, table, false)
10 10
         else
11 11
           column = column.to_s
12 12
 
13  
-          if check_column && column.include?('.')
  13
+          if allow_table_name && column.include?('.')
14 14
             table_name, column = column.split('.', 2)
15 15
             table = Arel::Table.new(table_name, engine)
16 16
           end
6  activerecord/test/cases/relation/where_test.rb
@@ -11,6 +11,12 @@ def test_where_error
11 11
       end
12 12
     end
13 13
 
  14
+    def test_where_error_with_hash
  15
+      assert_raises(ActiveRecord::StatementInvalid) do
  16
+        Post.where(:id => { :posts => {:author_id => 10} }).first
  17
+      end
  18
+    end
  19
+
14 20
     def test_where_with_table_name
15 21
       post = Post.first
16 22
       assert_equal post, Post.where(:posts => { 'id' => post.id }).first

0 notes on commit 8355abf

Please sign in to comment.
Something went wrong with that request. Please try again.