Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge branch '4-0-9' into 4-0-stable

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md
	activesupport/CHANGELOG.md
	railties/CHANGELOG.md
  • Loading branch information...
commit d01651a360a0ecea6eb78dcb03fc44120bd83495 2 parents ca152fc + b792566
Rafael Mendonça França rafaelfranca authored
2  RAILS_VERSION
View
@@ -1 +1 @@
-4.0.8
+4.0.9
5 actionmailer/CHANGELOG.md
View
@@ -1,3 +1,8 @@
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
## Rails 4.0.8 (July 2, 2014) ##
*No changes*
2  actionmailer/lib/action_mailer/version.rb
View
@@ -1,7 +1,7 @@
module ActionMailer
# Returns the version of the currently loaded ActionMailer as a Gem::Version
def self.version
- Gem::Version.new "4.0.8"
+ Gem::Version.new "4.0.9"
end
module VERSION #:nodoc:
5 actionpack/CHANGELOG.md
View
@@ -42,6 +42,11 @@
*Larry Lv*
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
## Rails 4.0.8 (July 2, 2014) ##
*No changes*
2  actionpack/lib/action_pack/version.rb
View
@@ -1,7 +1,7 @@
module ActionPack
# Returns the version of the currently loaded ActionPack as a Gem::Version
def self.version
- Gem::Version.new "4.0.8"
+ Gem::Version.new "4.0.9"
end
module VERSION #:nodoc:
5 activemodel/CHANGELOG.md
View
@@ -1,3 +1,8 @@
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
## Rails 4.0.8 (July 2, 2014) ##
*No changes*
1  activemodel/lib/active_model/forbidden_attributes_protection.rb
View
@@ -23,5 +23,6 @@ def sanitize_for_mass_assignment(attributes)
attributes
end
end
+ alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
end
end
2  activemodel/lib/active_model/version.rb
View
@@ -1,7 +1,7 @@
module ActiveModel
# Returns the version of the currently loaded ActiveModel as a Gem::Version
def self.version
- Gem::Version.new "4.0.8"
+ Gem::Version.new "4.0.9"
end
module VERSION #:nodoc:
9 activerecord/CHANGELOG.md
View
@@ -75,6 +75,15 @@
*Arun Agrawal*
+## Rails 4.0.9 (August 18, 2014) ##
+
+* Check attributes passed to `create_with` and `where`.
+
+ Fixes CVE-2014-3514.
+
+ *Rafael Mendonça França*
+
+
## Rails 4.0.8 (July 2, 2014) ##
* Fix regression added from the latest security fix.
16 activerecord/lib/active_record/relation/query_methods.rb
View
@@ -1,9 +1,12 @@
require 'active_support/core_ext/array/wrap'
+require 'active_model/forbidden_attributes_protection'
module ActiveRecord
module QueryMethods
extend ActiveSupport::Concern
+ include ActiveModel::ForbiddenAttributesProtection
+
# WhereChain objects act as placeholder for queries in which #where does not have any parameter.
# In this case, #where must be chained with #not to return a new relation.
class WhereChain
@@ -540,7 +543,10 @@ def where!(opts = :chain, *rest) # :nodoc:
if opts == :chain
WhereChain.new(self)
else
- references!(PredicateBuilder.references(opts)) if Hash === opts
+ if Hash === opts
+ opts = sanitize_forbidden_attributes(opts)
+ references!(PredicateBuilder.references(opts))
+ end
self.where_values += build_where(opts, rest)
self
@@ -678,7 +684,13 @@ def create_with(value)
end
def create_with!(value) # :nodoc:
- self.create_with_value = value ? create_with_value.merge(value) : {}
+ if value
+ value = sanitize_forbidden_attributes(value)
+ self.create_with_value = create_with_value.merge(value)
+ else
+ self.create_with_value = {}
+ end
+
self
end
2  activerecord/lib/active_record/version.rb
View
@@ -1,7 +1,7 @@
module ActiveRecord
# Returns the version of the currently loaded ActiveRecord as a Gem::Version
def self.version
- Gem::Version.new "4.0.8"
+ Gem::Version.new "4.0.9"
end
module VERSION #:nodoc:
30 activerecord/test/cases/forbidden_attributes_protection_test.rb
View
@@ -61,4 +61,34 @@ def test_regular_hash_should_still_be_used_for_mass_assignment
assert_equal 'Guille', person.first_name
assert_equal 'm', person.gender
end
+
+ def test_create_with_checks_permitted
+ params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+ assert_raises(ActiveModel::ForbiddenAttributesError) do
+ Person.create_with(params).create!
+ end
+ end
+
+ def test_create_with_works_with_params_values
+ params = ProtectedParams.new(first_name: 'Guille')
+
+ person = Person.create_with(first_name: params[:first_name]).create!
+ assert_equal 'Guille', person.first_name
+ end
+
+ def test_where_checks_permitted
+ params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+ assert_raises(ActiveModel::ForbiddenAttributesError) do
+ Person.where(params).create!
+ end
+ end
+
+ def test_where_works_with_params_values
+ params = ProtectedParams.new(first_name: 'Guille')
+
+ person = Person.where(first_name: params[:first_name]).create!
+ assert_equal 'Guille', person.first_name
+ end
end
5 activesupport/CHANGELOG.md
View
@@ -7,6 +7,11 @@
*arthurnn*, *Yuki Nishijima*
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
## Rails 4.0.8 (July 2, 2014) ##
*No changes*
2  activesupport/lib/active_support/version.rb
View
@@ -1,7 +1,7 @@
module ActiveSupport
# Returns the version of the currently loaded ActiveSupport as a Gem::Version
def self.version
- Gem::Version.new "4.0.8"
+ Gem::Version.new "4.0.9"
end
module VERSION #:nodoc:
5 guides/CHANGELOG.md
View
@@ -1,3 +1,8 @@
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
## Rails 4.0.8 (July 2, 2014) ##
*No changes*
6 railties/CHANGELOG.md
View
@@ -3,6 +3,12 @@
*noinkling*
+
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
## Rails 4.0.8 (July 2, 2014) ##
*No changes*
2  railties/lib/rails/version.rb
View
@@ -2,7 +2,7 @@ module Rails
module VERSION
MAJOR = 4
MINOR = 0
- TINY = 8
+ TINY = 9
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
2  version.rb
View
@@ -2,7 +2,7 @@ module Rails
module VERSION
MAJOR = 4
MINOR = 0
- TINY = 8
+ TINY = 9
PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
Please sign in to comment.
Something went wrong with that request. Please try again.