Skip to content
Browse files

fixing attr_protected CVE-2013-0276

  • Loading branch information...
1 parent 2e4aa39 commit 9a48f4cf329f66682c34c86822d625d63dbb6919 @tenderlove tenderlove committed Feb 9, 2013
Showing with 4 additions and 4 deletions.
  1. +1 −1 activerecord/lib/active_record/attribute_methods.rb
  2. +3 −3 activerecord/lib/active_record/base.rb
View
2 activerecord/lib/active_record/attribute_methods.rb
@@ -130,7 +130,7 @@ def cache_attribute?(attr_name)
# Suffixes a, ?, c become regexp /(a|\?|c)$/
def rebuild_attribute_method_regexp
suffixes = attribute_method_suffixes.map { |s| Regexp.escape(s) }
- @@attribute_method_regexp = /(#{suffixes.join('|')})$/.freeze
+ @@attribute_method_regexp = /(#{suffixes.join('|')})\z/.freeze
end
# Default to =, ?, _before_type_cast
View
6 activerecord/lib/active_record/base.rb
@@ -2998,11 +2998,11 @@ def convert_number_column_value(value)
def remove_attributes_protected_from_mass_assignment(attributes)
safe_attributes =
if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
- attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+ attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
elsif self.class.protected_attributes.nil?
- attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+ attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/m, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
elsif self.class.accessible_attributes.nil?
- attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+ attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/m,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
else
raise "Declare either attr_protected or attr_accessible for #{self.class}, but not both."
end

0 comments on commit 9a48f4c

Please sign in to comment.
Something went wrong with that request. Please try again.