Merge branch '3-0-stable-sec' into 3-0-stable-rel

* 3-0-stable-sec: Array parameters should not contain nil values. Additional fix for CVE-2012-2661
rails · Jun 11, 2012 · b9e048c · b9e048c
2 parents 6c0c40b + 2f3bc04
commit b9e048c
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 5 deletions.
diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
@@ -262,17 +262,19 @@ def local?
 
     # Remove nils from the params hash
     def deep_munge(hash)
+      keys = hash.keys.find_all { |k| hash[k] == [nil] }
+      keys.each { |k| hash[k] = nil }
+
       hash.each_value do |v|
         case v
         when Array
           v.grep(Hash) { |x| deep_munge(x) }
+          v.compact!
         when Hash
           deep_munge(v)
         end
       end
 
-      keys = hash.keys.find_all { |k| hash[k] == [nil] }
-      keys.each { |k| hash[k] = nil }
       hash
     end
 

diff --git a/actionpack/test/dispatch/request/query_string_parsing_test.rb b/actionpack/test/dispatch/request/query_string_parsing_test.rb
@@ -89,6 +89,10 @@ def teardown
     assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]")
   end
 
+  def test_array_parses_without_nil
+    assert_parses({"action" => ['1']}, "action[]=1&action[]")
+  end
+
   test "query string with empty key" do
     assert_parses(
       { "action" => "create_customer", "full_name" => "David Heinemeier Hansson" },

diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
@@ -5,17 +5,17 @@ def initialize(engine)
       @engine = engine
     end
 
-    def build_from_hash(attributes, default_table, check_column = true)
+    def build_from_hash(attributes, default_table, allow_table_name = true)
       predicates = attributes.map do |column, value|
         table = default_table
 
-        if value.is_a?(Hash)
+        if allow_table_name && value.is_a?(Hash)
           table = Arel::Table.new(column, :engine => @engine)
           build_from_hash(value, table, false)
         else
           column = column.to_s
 
-          if check_column && column.include?('.')
+          if allow_table_name && column.include?('.')
             table_name, column = column.split('.', 2)
             table = Arel::Table.new(table_name, :engine => @engine)
           end

diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
@@ -11,6 +11,12 @@ def test_where_error
       end
     end
 
+    def test_where_error_with_hash
+      assert_raises(ActiveRecord::StatementInvalid) do
+        Post.where(:id => { :posts => {:author_id => 10} }).first
+      end
+    end
+
     def test_where_with_table_name
       post = Post.first
       assert_equal post, Post.where(:posts => { 'id' => post.id }).first