Permalink
Browse files

Whitelist the methods which are called by multiparameter attribute as…

…signment.

This prevents users from causing NoMethodErrors and the like by editing the parameter names, and closes a potential exploit of CVE-2009-1904.
  • Loading branch information...
1 parent b6fde6b commit c014c3e5c14beb71fa7c67f15448386d0ffaba28 @NZKoz NZKoz committed Jun 10, 2009
Showing with 8 additions and 8 deletions.
  1. +8 −8 activerecord/lib/active_record/base.rb
@@ -3043,11 +3043,11 @@ def instantiate_time_object(name, values)
def execute_callstack_for_multiparameter_attributes(callstack)
errors = []
callstack.each do |name, values|
- klass = (self.class.reflect_on_aggregation(name.to_sym) || column_for_attribute(name)).klass
- if values.empty?
- send(name + "=", nil)
- else
- begin
+ begin
+ klass = (self.class.reflect_on_aggregation(name.to_sym) || column_for_attribute(name)).klass
+ if values.empty?
+ send(name + "=", nil)
+ else
value = if Time == klass
instantiate_time_object(name, values)
elsif Date == klass
@@ -3061,9 +3061,9 @@ def execute_callstack_for_multiparameter_attributes(callstack)
end
send(name + "=", value)
- rescue => ex
- errors << AttributeAssignmentError.new("error on assignment #{values.inspect} to #{name}", ex, name)
end
+ rescue => ex
+ errors << AttributeAssignmentError.new("error on assignment #{values.inspect} to #{name}", ex, name)
end
end
unless errors.empty?
@@ -3089,7 +3089,7 @@ def extract_callstack_for_multiparameter_attributes(pairs)
end
def type_cast_attribute_value(multiparameter_name, value)
- multiparameter_name =~ /\([0-9]*([a-z])\)/ ? value.send("to_" + $1) : value
+ multiparameter_name =~ /\([0-9]*([if])\)/ ? value.send("to_" + $1) : value
end
def find_parameter_position(multiparameter_name)

0 comments on commit c014c3e

Please sign in to comment.