| @@ -115,3 +115,43 module ActionController | |||||
| 115 | end |
|
115 | end | |
| 116 | end |
|
116 | end | |
| 117 | end |
|
117 | end | |
|
|
118 | ||||
|
|
119 | # Fix for CVE-2013-0155 | |||
|
|
120 | # https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J | |||
|
|
121 | module ActiveRecord | |||
|
|
122 | class Base | |||
|
|
123 | class << self | |||
|
|
124 | protected | |||
|
|
125 | def self.sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true) | |||
|
|
126 | attrs = expand_hash_conditions_for_aggregates(attrs) | |||
|
|
127 | ||||
|
|
128 | return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty? | |||
|
|
129 | ||||
|
|
130 | conditions = attrs.map do |attr, value| | |||
|
|
131 | table_name = default_table_name | |||
|
|
132 | ||||
|
|
133 | if not value.is_a?(Hash) | |||
|
|
134 | attr = attr.to_s | |||
|
|
135 | ||||
|
|
136 | # Extract table name from qualified attribute names. | |||
|
|
137 | if attr.include?('.') and top_level | |||
|
|
138 | attr_table_name, attr = attr.split('.', 2) | |||
|
|
139 | attr_table_name = connection.quote_table_name(attr_table_name) | |||
|
|
140 | else | |||
|
|
141 | attr_table_name = table_name | |||
|
|
142 | end | |||
|
|
143 | ||||
|
|
144 | attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value) | |||
|
|
145 | elsif top_level | |||
|
|
146 | sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false) | |||
|
|
147 | else | |||
|
|
148 | raise ActiveRecord::StatementInvalid | |||
|
|
149 | end | |||
|
|
150 | end.join(' AND ') | |||
|
|
151 | ||||
|
|
152 | replace_bind_variables(conditions, expand_range_bind_variables(attrs.values)) | |||
|
|
153 | end | |||
|
|
154 | alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions | |||
|
|
155 | end | |||
|
|
156 | end | |||
|
|
157 | end | |||
General Comments 0
You need to be logged in to leave comments.
Login now