Patch sql injection vulnerability when using integer or float columns.

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4626 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
rails · Jul 27, 2006 · 99e9fae · 99e9fae
1 parent d70d521
commit 99e9fae
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Patch sql injection vulnerability when using integer or float columns. [Jamis Buck]
+
 * Allow #count through a has_many association to accept :include.  [Dan Peterson]
 
 * create_table rdoc: suggest :id => false for habtm join tables. [Zed Shaw]

diff --git a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb
@@ -11,7 +11,8 @@ def quote(value, column = nil)
           when String
             if column && column.type == :binary && column.class.respond_to?(:string_to_binary)
               "'#{quote_string(column.class.string_to_binary(value))}'" # ' (for ruby-mode)
-            elsif column && [:integer, :float].include?(column.type) 
+            elsif column && [:integer, :float].include?(column.type)
+              value = column.type == :integer ? value.to_i : value.to_f
               value.to_s
             else
               "'#{quote_string(value)}'" # ' (for ruby-mode)

diff --git a/activerecord/test/base_test.rb b/activerecord/test/base_test.rb
@@ -961,6 +961,12 @@ def test_quote_keys
     assert_equal("<baz>", inverted["quux"])
   end
 
+  def test_sql_injection_via_find
+    assert_raises(ActiveRecord::RecordNotFound) do
+      Topic.find("123456 OR id > 0")
+    end
+  end
+
   def test_column_name_properly_quoted
     col_record = ColumnName.new
     col_record.references = 40