diff options
| author | Jamis Buck <jamis@37signals.com> | 2006-07-27 18:29:49 +0000 |
|---|---|---|
| committer | Jamis Buck <jamis@37signals.com> | 2006-07-27 18:29:49 +0000 |
| commit | 99e9faeda8f039d34e9eeab319e8adc13cb9bc86 (patch) | |
| tree | 318d2714fedd28cd90efc91c1b859286317e5241 | |
| parent | d70d5219554b55b24586d559bd39d829317d523d (diff) | |
| download | rails-99e9faeda8f039d34e9eeab319e8adc13cb9bc86.tar.gz rails-99e9faeda8f039d34e9eeab319e8adc13cb9bc86.tar.bz2 rails-99e9faeda8f039d34e9eeab319e8adc13cb9bc86.zip | |
Patch sql injection vulnerability when using integer or float columns.
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4626 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
| -rw-r--r-- | activerecord/CHANGELOG | 2 | ||||
| -rw-r--r-- | activerecord/lib/active_record/connection_adapters/abstract/quoting.rb | 3 | ||||
| -rwxr-xr-x | activerecord/test/base_test.rb | 6 |
3 files changed, 10 insertions, 1 deletions
diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG index df012b91ca..10387d04ef 100644 --- a/activerecord/CHANGELOG +++ b/activerecord/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Patch sql injection vulnerability when using integer or float columns. [Jamis Buck] + * Allow #count through a has_many association to accept :include. [Dan Peterson] * create_table rdoc: suggest :id => false for habtm join tables. [Zed Shaw] diff --git a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb index 1c1b00252c..94d1d9c43f 100644 --- a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb +++ b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb @@ -11,7 +11,8 @@ module ActiveRecord when String if column && column.type == :binary && column.class.respond_to?(:string_to_binary) "'#{quote_string(column.class.string_to_binary(value))}'" # ' (for ruby-mode) - elsif column && [:integer, :float].include?(column.type) + elsif column && [:integer, :float].include?(column.type) + value = column.type == :integer ? value.to_i : value.to_f value.to_s else "'#{quote_string(value)}'" # ' (for ruby-mode) diff --git a/activerecord/test/base_test.rb b/activerecord/test/base_test.rb index b07ec3eacd..a2652b04b6 100755 --- a/activerecord/test/base_test.rb +++ b/activerecord/test/base_test.rb @@ -961,6 +961,12 @@ class BasicsTest < Test::Unit::TestCase assert_equal("<baz>", inverted["quux"]) end + def test_sql_injection_via_find + assert_raises(ActiveRecord::RecordNotFound) do + Topic.find("123456 OR id > 0") + end + end + def test_column_name_properly_quoted col_record = ColumnName.new col_record.references = 40 |