Permalink
Browse files

Merge branch '4-1-5' into 4-1-stable

Conflicts:
	actionmailer/CHANGELOG.md
	actionview/CHANGELOG.md
	activerecord/CHANGELOG.md
	activesupport/CHANGELOG.md
	railties/CHANGELOG.md
  • Loading branch information...
2 parents 28c1a81 + 9bb7626 commit 9c297ce93610bcd878f5a5ca8e737bf057fc2d85 @rafaelfranca rafaelfranca committed Aug 18, 2014
View
2 RAILS_VERSION
@@ -1 +1 @@
-4.1.4
+4.1.5
View
5 actionmailer/CHANGELOG.md
@@ -13,6 +13,11 @@
*Yves Senn*
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
View
2 actionmailer/lib/action_mailer/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
2 actionpack/lib/action_pack/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
5 actionview/CHANGELOG.md
@@ -16,6 +16,11 @@
*Jiri Pospisil*
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
View
2 actionview/lib/action_view/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
5 activemodel/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
View
1 activemodel/lib/active_model/forbidden_attributes_protection.rb
@@ -23,5 +23,6 @@ def sanitize_for_mass_assignment(attributes)
attributes
end
end
+ alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
end
end
View
2 activemodel/lib/active_model/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
5 activerecord/CHANGELOG.md
@@ -157,6 +157,11 @@
*Arun Agrawal*
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* Fix regression added from the latest security fix.
View
2 activerecord/lib/active_record/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
16 activerecord/lib/active_record/relation/query_methods.rb
@@ -1,9 +1,12 @@
require 'active_support/core_ext/array/wrap'
+require 'active_model/forbidden_attributes_protection'
module ActiveRecord
module QueryMethods
extend ActiveSupport::Concern
+ include ActiveModel::ForbiddenAttributesProtection
+
# WhereChain objects act as placeholder for queries in which #where does not have any parameter.
# In this case, #where must be chained with #not to return a new relation.
class WhereChain
@@ -561,7 +564,10 @@ def where!(opts = :chain, *rest) # :nodoc:
if opts == :chain
WhereChain.new(self)
else
- references!(PredicateBuilder.references(opts)) if Hash === opts
+ if Hash === opts
+ opts = sanitize_forbidden_attributes(opts)
+ references!(PredicateBuilder.references(opts))
+ end
self.where_values += build_where(opts, rest)
self
@@ -711,7 +717,13 @@ def create_with(value)
end
def create_with!(value) # :nodoc:
- self.create_with_value = value ? create_with_value.merge(value) : {}
+ if value
+ value = sanitize_forbidden_attributes(value)
+ self.create_with_value = create_with_value.merge(value)
+ else
+ self.create_with_value = {}
+ end
+
self
end
View
30 activerecord/test/cases/forbidden_attributes_protection_test.rb
@@ -66,4 +66,34 @@ def test_blank_attributes_should_not_raise
person = Person.new
assert_nil person.assign_attributes(ProtectedParams.new({}))
end
+
+ def test_create_with_checks_permitted
+ params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+ assert_raises(ActiveModel::ForbiddenAttributesError) do
+ Person.create_with(params).create!
+ end
+ end
+
+ def test_create_with_works_with_params_values
+ params = ProtectedParams.new(first_name: 'Guille')
+
+ person = Person.create_with(first_name: params[:first_name]).create!
+ assert_equal 'Guille', person.first_name
+ end
+
+ def test_where_checks_permitted
+ params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+ assert_raises(ActiveModel::ForbiddenAttributesError) do
+ Person.where(params).create!
+ end
+ end
+
+ def test_where_works_with_params_values
+ params = ProtectedParams.new(first_name: 'Guille')
+
+ person = Person.where(first_name: params[:first_name]).create!
+ assert_equal 'Guille', person.first_name
+ end
end
View
5 activesupport/CHANGELOG.md
@@ -27,6 +27,11 @@
*Juanjo Bazán*
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
View
2 activesupport/lib/active_support/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
5 guides/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 4.1.5 (August 18, 2014) ##
+
+* No changes.
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
View
9 railties/CHANGELOG.md
@@ -13,6 +13,15 @@
*Yves Senn*, *Carlos Antonio da Silva*, *Robin Dupret*
+## Rails 4.1.5 (August 18, 2014) ##
+
+* Check attributes passed to `create_with` and `where`.
+
+ Fixes CVE-2014-3514.
+
+ *Rafael Mendonça França*
+
+
## Rails 4.1.4 (July 2, 2014) ##
* No changes.
View
2 railties/lib/rails/gem_version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
View
2 version.rb
@@ -7,7 +7,7 @@ def self.gem_version
module VERSION
MAJOR = 4
MINOR = 1
- TINY = 4
+ TINY = 5
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

0 comments on commit 9c297ce

Please sign in to comment.