Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Additional fix for CVE-2012-2661

While the patched PredicateBuilder in 3.1.5 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
  • Loading branch information...
commit cc2903da9f13c26ba3d94c149f31d4c53b94b2ed 1 parent 0ccdeeb
@ernie ernie authored tenderlove committed
6 activerecord/lib/active_record/relation/predicate_builder.rb
@@ -1,16 +1,16 @@
module ActiveRecord
class PredicateBuilder # :nodoc:
- def self.build_from_hash(engine, attributes, default_table, check_column = true)
+ def self.build_from_hash(engine, attributes, default_table, allow_table_name = true)
predicates = do |column, value|
table = default_table
- if value.is_a?(Hash)
+ if allow_table_name && value.is_a?(Hash)
table =, engine)
build_from_hash(engine, value, table, false)
column = column.to_s
- if check_column && column.include?('.')
+ if allow_table_name && column.include?('.')
table_name, column = column.split('.', 2)
table =, engine)
6 activerecord/test/cases/relation/where_test.rb
@@ -11,6 +11,12 @@ def test_where_error
+ def test_where_error_with_hash
+ assert_raises(ActiveRecord::StatementInvalid) do
+ Post.where(:id => { :posts => {:author_id => 10} }).first
+ end
+ end
def test_where_with_table_name
post = Post.first
assert_equal post, Post.where(:posts => { 'id' => }).first

2 comments on commit cc2903d


Hi @ernie @tenderlove
Please see #6718.

I guess specification's conflict has occurred.


@kennyj posting response to that issue now. Short version -- code that treated nested hashes this was is wrong. Long version will be posted shortly.

Please sign in to comment.
Something went wrong with that request. Please try again.