| @@ -88,22 +88,25 module ActionController | |||
|
|
88 | 88 | |
|
|
89 | 89 | # CVE-2012-2660 |
|
|
90 | 90 | # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f |
|
|
91 | # CVE-2012-2694 | |
|
|
92 | # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e | |
|
|
91 | 93 | class Request |
|
|
92 | 94 | protected |
|
|
93 | 95 | |
|
|
94 | 96 | # Remove nils from the params hash |
|
|
95 | 97 | def deep_munge(hash) |
|
|
98 | keys = hash.keys.find_all { |k| hash[k] == [nil] } | |
|
|
99 | keys.each { |k| hash[k] = nil } | |
|
|
100 | ||
|
|
96 | 101 | hash.each_value do |v| |
|
|
97 | 102 | case v |
|
|
98 | 103 | when Array |
|
|
99 | 104 | v.grep(Hash) { |x| deep_munge(x) } |
|
|
105 | v.compact! | |
|
|
100 | 106 | when Hash |
|
|
101 | 107 | deep_munge(v) |
|
|
102 | 108 | end |
|
|
103 | 109 | end |
|
|
104 | ||
|
|
105 | keys = hash.keys.find_all { |k| hash[k] == [nil] } | |
|
|
106 | keys.each { |k| hash[k] = nil } | |
|
|
107 | 110 | hash |
|
|
108 | 111 | end |
|
|
109 | 112 | |
| @@ -112,3 +115,40 module ActionController | |||
|
|
112 | 115 | end |
|
|
113 | 116 | end |
|
|
114 | 117 | end |
|
|
118 | ||
|
|
119 | # CVE-2012-2695 | |
|
|
120 | # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59 | |
|
|
121 | module ActiveRecord | |
|
|
122 | class Base | |
|
|
123 | class << self | |
|
|
124 | def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true) | |
|
|
125 | attrs = expand_hash_conditions_for_aggregates(attrs) | |
|
|
126 | ||
|
|
127 | conditions = attrs.map do |attr, value| | |
|
|
128 | table_name = default_table_name | |
|
|
129 | ||
|
|
130 | if not value.is_a?(Hash) | |
|
|
131 | attr = attr.to_s | |
|
|
132 | ||
|
|
133 | # Extract table name from qualified attribute names. | |
|
|
134 | if attr.include?('.') and top_level | |
|
|
135 | attr_table_name, attr = attr.split('.', 2) | |
|
|
136 | attr_table_name = connection.quote_table_name(attr_table_name) | |
|
|
137 | else | |
|
|
138 | attr_table_name = table_name | |
|
|
139 | end | |
|
|
140 | ||
|
|
141 | attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value) | |
|
|
142 | elsif top_level | |
|
|
143 | sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false) | |
|
|
144 | else | |
|
|
145 | raise ActiveRecord::StatementInvalid | |
|
|
146 | end | |
|
|
147 | end.join(' AND ') | |
|
|
148 | ||
|
|
149 | replace_bind_variables(conditions, expand_range_bind_variables(attrs.values)) | |
|
|
150 | end | |
|
|
151 | alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions | |
|
|
152 | end | |
|
|
153 | end | |
|
|
154 | end | |
| @@ -13,6 +13,7 http://www.redmine.org/ | |||
|
|
13 | 13 | * Defect #11178: Spent time sorted by date-descending order lists same-date entries in physical order |
|
|
14 | 14 | * Feature #6597: Configurable session lifetime and timeout |
|
|
15 | 15 | * Patch #11113: Small glitch in German localization |
|
|
16 | * Fix for Rails vulnerabilities CVE-2012-2694 and CVE-2012-2695 | |
|
|
16 | 17 | |
|
|
17 | 18 | == 2012-06-05 v1.4.3 |
|
|
18 | 19 | |
General Comments 0
You need to be logged in to leave comments.
Login now