adding test for CVE

activerecord/test/cases/mass_assignment_security_test.rb

@@ -287,6 +287,16 @@ def test_find_or_create_by_with_admin_role_with_attr_protected_attributes
     assert_admin_attributes(p, true)
   end
 
+  def test_attr_protected_with_newline
+    p = LoosePerson.new
+    assert_raises(ActiveRecord::UnknownAttributeError) do
+      p.attributes = {"comments=\n"=>"hax"}
+    end
+    assert_nil p.comments, "Comments is meant to be attr_protected but I assigned it with attributes="
+    p.attributes= {"comments(1)\n" => "hax"}
+    assert_nil p.comments, "Comments is meant to be attr_protected but I assigned it with attributes="
+  end
+
 end