Fixes #23028 - Properly escape params passed to where (CVE-2018-1096) (…

…#5363)
theforeman · Mar 27, 2018 · 274665e · 274665e
1 parent 9dc411a
commit 274665e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
@@ -56,7 +56,7 @@ def save_positions
     errors = []
     filter = self.class.widget_params_filter
     params.fetch(:widgets, []).each do |id, values|
-      widget = User.current.widgets.where("id = #{id}").first
+      widget = User.current.widgets.where(:id => id).first
       values = filter.filter_params(values, parameter_filter_context, :none)
       errors << widget.errors unless widget.update_attributes(values)
     end