Browse files

predicate builder should not recurse for determining where columns.

Thanks to Ben Murphy for reporting this

CVE-2012-2661
  • Loading branch information...
1 parent e74e479 commit 99f030934eb8341db333cb6783d0f42bfa57358f @tenderlove tenderlove committed May 30, 2012
View
6 activerecord/lib/active_record/relation/predicate_builder.rb
@@ -5,17 +5,17 @@ def initialize(engine)
@engine = engine
end
- def build_from_hash(attributes, default_table)
+ def build_from_hash(attributes, default_table, check_column = true)
predicates = attributes.map do |column, value|
table = default_table
if value.is_a?(Hash)
table = Arel::Table.new(column, :engine => @engine)
- build_from_hash(value, table)
+ build_from_hash(value, table, false)
else
column = column.to_s
- if column.include?('.')
+ if check_column && column.include?('.')
table_name, column = column.split('.', 2)
table = Arel::Table.new(table_name, :engine => @engine)
end
View
19 activerecord/test/cases/relation/where_test.rb
@@ -0,0 +1,19 @@
+require "cases/helper"
+require 'models/post'
+
+module ActiveRecord
+ class WhereTest < ActiveRecord::TestCase
+ fixtures :posts
+
+ def test_where_error
+ assert_raises(ActiveRecord::StatementInvalid) do
+ Post.where(:id => { 'posts.author_id' => 10 }).first
+ end
+ end
+
+ def test_where_with_table_name
+ post = Post.first
+ assert_equal post, Post.where(:posts => { 'id' => post.id }).first
+ end
+ end
+end

0 comments on commit 99f0309

Please sign in to comment.