| @@ -88,22 +88,25 module ActionController | |||||
| 88 |
|
88 | |||
| 89 | # CVE-2012-2660 |
|
89 | # CVE-2012-2660 | |
| 90 | # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f |
|
90 | # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f | |
|
|
91 | # CVE-2012-2694 | |||
|
|
92 | # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e | |||
| 91 | class Request |
|
93 | class Request | |
| 92 | protected |
|
94 | protected | |
| 93 |
|
95 | |||
| 94 | # Remove nils from the params hash |
|
96 | # Remove nils from the params hash | |
| 95 | def deep_munge(hash) |
|
97 | def deep_munge(hash) | |
|
|
98 | keys = hash.keys.find_all { |k| hash[k] == [nil] } | |||
|
|
99 | keys.each { |k| hash[k] = nil } | |||
|
|
100 | ||||
| 96 | hash.each_value do |v| |
|
101 | hash.each_value do |v| | |
| 97 | case v |
|
102 | case v | |
| 98 | when Array |
|
103 | when Array | |
| 99 | v.grep(Hash) { |x| deep_munge(x) } |
|
104 | v.grep(Hash) { |x| deep_munge(x) } | |
|
|
105 | v.compact! | |||
| 100 | when Hash |
|
106 | when Hash | |
| 101 | deep_munge(v) |
|
107 | deep_munge(v) | |
| 102 | end |
|
108 | end | |
| 103 | end |
|
109 | end | |
| 104 |
|
||||
| 105 | keys = hash.keys.find_all { |k| hash[k] == [nil] } |
|
|||
| 106 | keys.each { |k| hash[k] = nil } |
|
|||
| 107 | hash |
|
110 | hash | |
| 108 | end |
|
111 | end | |
| 109 |
|
112 | |||
| @@ -112,3 +115,40 module ActionController | |||||
| 112 | end |
|
115 | end | |
| 113 | end |
|
116 | end | |
| 114 | end |
|
117 | end | |
|
|
118 | ||||
|
|
119 | # CVE-2012-2695 | |||
|
|
120 | # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59 | |||
|
|
121 | module ActiveRecord | |||
|
|
122 | class Base | |||
|
|
123 | class << self | |||
|
|
124 | def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true) | |||
|
|
125 | attrs = expand_hash_conditions_for_aggregates(attrs) | |||
|
|
126 | ||||
|
|
127 | conditions = attrs.map do |attr, value| | |||
|
|
128 | table_name = default_table_name | |||
|
|
129 | ||||
|
|
130 | if not value.is_a?(Hash) | |||
|
|
131 | attr = attr.to_s | |||
|
|
132 | ||||
|
|
133 | # Extract table name from qualified attribute names. | |||
|
|
134 | if attr.include?('.') and top_level | |||
|
|
135 | attr_table_name, attr = attr.split('.', 2) | |||
|
|
136 | attr_table_name = connection.quote_table_name(attr_table_name) | |||
|
|
137 | else | |||
|
|
138 | attr_table_name = table_name | |||
|
|
139 | end | |||
|
|
140 | ||||
|
|
141 | attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value) | |||
|
|
142 | elsif top_level | |||
|
|
143 | sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false) | |||
|
|
144 | else | |||
|
|
145 | raise ActiveRecord::StatementInvalid | |||
|
|
146 | end | |||
|
|
147 | end.join(' AND ') | |||
|
|
148 | ||||
|
|
149 | replace_bind_variables(conditions, expand_range_bind_variables(attrs.values)) | |||
|
|
150 | end | |||
|
|
151 | alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions | |||
|
|
152 | end | |||
|
|
153 | end | |||
|
|
154 | end | |||
| @@ -13,6 +13,7 http://www.redmine.org/ | |||||
| 13 | * Defect #11178: Spent time sorted by date-descending order lists same-date entries in physical order |
|
13 | * Defect #11178: Spent time sorted by date-descending order lists same-date entries in physical order | |
| 14 | * Feature #6597: Configurable session lifetime and timeout |
|
14 | * Feature #6597: Configurable session lifetime and timeout | |
| 15 | * Patch #11113: Small glitch in German localization |
|
15 | * Patch #11113: Small glitch in German localization | |
|
|
16 | * Fix for Rails vulnerabilities CVE-2012-2694 and CVE-2012-2695 | |||
| 16 |
|
17 | |||
| 17 | == 2012-06-05 v1.4.3 |
|
18 | == 2012-06-05 v1.4.3 | |
| 18 |
|
19 | |||
General Comments 0
You need to be logged in to leave comments.
Login now