Merge branch '4-0-9' into 4-0-stable

Conflicts:
	actionpack/CHANGELOG.md
	activerecord/CHANGELOG.md
	activesupport/CHANGELOG.md
	railties/CHANGELOG.md

RAILS_VERSION

@@ -1 +1 @@
-4.0.8
+4.0.9

actionmailer/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
 ## Rails 4.0.8 (July 2, 2014) ##
 
 *No changes*

actionmailer/lib/action_mailer/version.rb

@@ -1,7 +1,7 @@
 module ActionMailer
   # Returns the version of the currently loaded ActionMailer as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.8"
+    Gem::Version.new "4.0.9"
   end
 
   module VERSION #:nodoc:

actionpack/CHANGELOG.md

@@ -42,6 +42,11 @@
     *Larry Lv*
 
 
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
 ## Rails 4.0.8 (July 2, 2014) ##
 
 *No changes*

actionpack/lib/action_pack/version.rb

@@ -1,7 +1,7 @@
 module ActionPack
   # Returns the version of the currently loaded ActionPack as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.8"
+    Gem::Version.new "4.0.9"
   end
 
   module VERSION #:nodoc:

activemodel/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
 ## Rails 4.0.8 (July 2, 2014) ##
 
 *No changes*

activemodel/lib/active_model/forbidden_attributes_protection.rb

@@ -23,5 +23,6 @@ def sanitize_for_mass_assignment(attributes)
           attributes
         end
       end
+      alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
   end
 end

activemodel/lib/active_model/version.rb

@@ -1,7 +1,7 @@
 module ActiveModel
   # Returns the version of the currently loaded ActiveModel as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.8"
+    Gem::Version.new "4.0.9"
   end
 
   module VERSION #:nodoc:

activerecord/CHANGELOG.md

@@ -75,6 +75,15 @@
     *Arun Agrawal*
 
 
+## Rails 4.0.9 (August 18, 2014) ##
+
+*   Check attributes passed to `create_with` and `where`.
+
+    Fixes CVE-2014-3514.
+
+    *Rafael Mendonça França*
+
+
 ## Rails 4.0.8 (July 2, 2014) ##
 
 *   Fix regression added from the latest security fix.

activerecord/lib/active_record/relation/query_methods.rb

@@ -1,9 +1,12 @@
 require 'active_support/core_ext/array/wrap'
+require 'active_model/forbidden_attributes_protection'
 
 module ActiveRecord
   module QueryMethods
     extend ActiveSupport::Concern
 
+    include ActiveModel::ForbiddenAttributesProtection
+
     # WhereChain objects act as placeholder for queries in which #where does not have any parameter.
     # In this case, #where must be chained with #not to return a new relation.
     class WhereChain
@@ -540,7 +543,10 @@ def where!(opts = :chain, *rest) # :nodoc:
       if opts == :chain
         WhereChain.new(self)
       else
-        references!(PredicateBuilder.references(opts)) if Hash === opts
+        if Hash === opts
+          opts = sanitize_forbidden_attributes(opts)
+          references!(PredicateBuilder.references(opts))
+        end
 
         self.where_values += build_where(opts, rest)
         self
@@ -678,7 +684,13 @@ def create_with(value)
     end
 
     def create_with!(value) # :nodoc:
-      self.create_with_value = value ? create_with_value.merge(value) : {}
+      if value
+        value = sanitize_forbidden_attributes(value)
+        self.create_with_value = create_with_value.merge(value)
+      else
+        self.create_with_value = {}
+      end
+
       self
     end
 

activerecord/lib/active_record/version.rb

@@ -1,7 +1,7 @@
 module ActiveRecord
   # Returns the version of the currently loaded ActiveRecord as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.8"
+    Gem::Version.new "4.0.9"
   end
 
   module VERSION #:nodoc:

activerecord/test/cases/forbidden_attributes_protection_test.rb

@@ -61,4 +61,34 @@ def test_regular_hash_should_still_be_used_for_mass_assignment
     assert_equal 'Guille', person.first_name
     assert_equal 'm', person.gender
   end
+
+  def test_create_with_checks_permitted
+    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Person.create_with(params).create!
+    end
+  end
+
+  def test_create_with_works_with_params_values
+    params = ProtectedParams.new(first_name: 'Guille')
+
+    person = Person.create_with(first_name: params[:first_name]).create!
+    assert_equal 'Guille', person.first_name
+  end
+
+  def test_where_checks_permitted
+    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Person.where(params).create!
+    end
+  end
+
+  def test_where_works_with_params_values
+    params = ProtectedParams.new(first_name: 'Guille')
+
+    person = Person.where(first_name: params[:first_name]).create!
+    assert_equal 'Guille', person.first_name
+  end
 end

activesupport/CHANGELOG.md

@@ -7,6 +7,11 @@
     *arthurnn*, *Yuki Nishijima*
 
 
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
 ## Rails 4.0.8 (July 2, 2014) ##
 
 *No changes*

activesupport/lib/active_support/version.rb

@@ -1,7 +1,7 @@
 module ActiveSupport
   # Returns the version of the currently loaded ActiveSupport as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.8"
+    Gem::Version.new "4.0.9"
   end
 
   module VERSION #:nodoc:

guides/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
 ## Rails 4.0.8 (July 2, 2014) ##
 
 *No changes*

railties/CHANGELOG.md

@@ -3,6 +3,12 @@
 
     *noinkling*
 
+
+## Rails 4.0.9 (August 18, 2014) ##
+
+*No changes*
+
+
 ## Rails 4.0.8 (July 2, 2014) ##
 
 *No changes*

railties/lib/rails/version.rb

@@ -2,7 +2,7 @@ module Rails
   module VERSION
     MAJOR = 4
     MINOR = 0
-    TINY  = 8
+    TINY  = 9
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

version.rb

@@ -2,7 +2,7 @@ module Rails
   module VERSION
     MAJOR = 4
     MINOR = 0
-    TINY  = 8
+    TINY  = 9
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")