Merge branch '3-2-sec' into 3-2-secmerge

* 3-2-sec:
  CVE-2012-5664 options hashes should only be extracted if there are extra parameters
  updating changelog
  updating the changelogs
  updating the changelog for the CVE
  Add release date of Rails 3.2.9 to documentation

Conflicts:
	actionmailer/CHANGELOG.md
	actionpack/CHANGELOG.md
	activemodel/CHANGELOG.md
	activerecord/CHANGELOG.md
	activeresource/CHANGELOG.md
	activesupport/CHANGELOG.md
	railties/CHANGELOG.md

9 files changed, 47 insertions, 6 deletions

diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
index d4d592a964..e8257fd63c 100644
--- a/actionmailer/CHANGELOG.md
+++ b/actionmailer/CHANGELOG.md
@@ -1,4 +1,8 @@
-## Rails 3.2.10 (unreleased) ##
+## Rails 3.2.11 (unreleased) ##
+
+## Rails 3.2.10 ##
+
+## Rails 3.2.9 (Nov 12, 2012) ##
 
 *   The return value from mailer methods is no longer relevant. This fixes a bug,
     which was introduced with 3.2.9.
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index a681a2dc79..6917d0e06c 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,4 +1,4 @@
-## Rails 3.2.10 (unreleased) ##
+## Rails 3.2.11 (unreleased) ##
 
 *   Clear url helper methods when routes are reloaded by removing the methods
     explicitly rather than just clearing the module because it didn't work
@@ -72,6 +72,8 @@
 
     *Daniel Fox, Grant Hutchins & Trace Wax*
 
+## Rails 3.2.10 ##
+
 ## Rails 3.2.9 (Nov 12, 2012) ##
 
 *   Clear url helpers when reloading routes.
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
index d98df4cb91..2cb51945fd 100644
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -1,7 +1,8 @@
-## Rails 3.2.10 (unreleased) ##
+## Rails 3.2.11 (unreleased) ##
 
 *   Specify type of singular association during serialization *Steve Klabnik*
 
+## Rails 3.2.10 ##
 
 ## Rails 3.2.9 (Nov 12, 2012) ##
 
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 083474eed0..1d682e03bf 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,4 +1,4 @@
-## Rails 3.2.10 (unreleased)
+## Rails 3.2.11 (unreleased)
 
 *   Serialized attributes can be serialized in integer columns.
     Fix #8575.
@@ -180,6 +180,13 @@
 
     *Alexis Bernard*
 
+## Rails 3.2.10 ##
+
+*   CVE-2012-5664 options hashes should only be extracted if there are extra
+    parameters
+
+## Rails 3.2.9 (Nov 12, 2012) ##
+
 *   Fix issue with collection associations calling first(n)/last(n) and attempting
     to set the inverse association when `:inverse_of` was used. Fixes #8087.
 
diff --git a/activerecord/lib/active_record/dynamic_matchers.rb b/activerecord/lib/active_record/dynamic_matchers.rb
index b6b8e24436..f15d0b7611 100644
--- a/activerecord/lib/active_record/dynamic_matchers.rb
+++ b/activerecord/lib/active_record/dynamic_matchers.rb
@@ -40,7 +40,12 @@ module ActiveRecord
           METHOD
           send(method_id, *arguments)
         elsif match.finder?
-          options = arguments.extract_options!
+          options = if arguments.length > attribute_names.size
+                      arguments.extract_options!
+                    else
+                      {}
+                    end
+
           relation = options.any? ? scoped(options) : scoped
           relation.send :find_by_attributes, match, attribute_names, *arguments, &block
         elsif match.instantiator?
diff --git a/activerecord/test/cases/finder_test.rb b/activerecord/test/cases/finder_test.rb
index e50a334958..7d63d76c34 100644
--- a/activerecord/test/cases/finder_test.rb
+++ b/activerecord/test/cases/finder_test.rb
@@ -15,6 +15,18 @@ require 'models/toy'
 class FinderTest < ActiveRecord::TestCase
   fixtures :companies, :topics, :entrants, :developers, :developers_projects, :posts, :comments, :accounts, :authors, :customers, :categories, :categorizations
 
+  def test_find_by_id_with_hash
+    assert_raises(ActiveRecord::StatementInvalid) do
+      Post.find_by_id(:limit => 1)
+    end
+  end
+
+  def test_find_by_title_and_id_with_hash
+    assert_raises(ActiveRecord::StatementInvalid) do
+      Post.find_by_title_and_id('foo', :limit => 1)
+    end
+  end
+
   def test_find
     assert_equal(topics(:first).title, Topic.find(1).title)
   end
diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md
index bdd50ab8b2..e77980f3b5 100644
--- a/activeresource/CHANGELOG.md
+++ b/activeresource/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.2.11 ##
+
+## Rails 3.2.10 ##
+
 ## Rails 3.2.9 (Nov 12, 2012) ##
 
 *   No changes.
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index 88707d7edb..834dff60c9 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -1,4 +1,4 @@
-## Rails 3.2.10 (unreleased)
+## Rails 3.2.11 (unreleased)
 
 *   Remove surrogate unicode character encoding from ActiveSupport::JSON.encode
     The encoding scheme was broken for unicode characters outside the basic
@@ -19,6 +19,8 @@
 
     *Daniele Sluijters*
 
+## Rails 3.2.10 ##
+
 ## Rails 3.2.9 (Nov 12, 2012) ##
 
 *   Add logger.push_tags and .pop_tags to complement logger.tagged:
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 9110fdc673..33ba020e0a 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Rails 3.2.11 ##
+
+## Rails 3.2.10 ##
+
 ## Rails 3.2.9 (Nov 12, 2012) ##
 
 *   Engines with a dummy app include the rake tasks of dependencies in the app namespace. [Backport: #8262]