Check attributes passed to create_with and where

If the request parameters are passed to create_with and where they can be used to do mass assignment when used in combination with Relation#create. Fixes CVE-2014-3514 Conflicts: activerecord/lib/active_record/relation/query_methods.rb
author: Rafael Mendonça França <rafaelmfranca@gmail.com> 2014-08-06 21:17:19 -0300
committer: Rafael Mendonça França <rafaelmfranca@gmail.com> 2014-08-18 14:07:37 -0300
commit: 306dc1a499908ba105e6b0fe8b8e01824c5e04d7 (patch)
tree: a8ec4a562ea9ff154563214dc3dbe5f28b7f454e /activemodel
parent: e759b5277e404cb0ca8353d0c6eba8a5c471af41 (diff)
download: rails-306dc1a499908ba105e6b0fe8b8e01824c5e04d7.tar.gz
rails-306dc1a499908ba105e6b0fe8b8e01824c5e04d7.tar.bz2
rails-306dc1a499908ba105e6b0fe8b8e01824c5e04d7.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/activemodel/lib/active_model/forbidden_attributes_protection.rb b/activemodel/lib/active_model/forbidden_attributes_protection.rb
index 7468f95548..b4fa378601 100644
--- a/activemodel/lib/active_model/forbidden_attributes_protection.rb
+++ b/activemodel/lib/active_model/forbidden_attributes_protection.rb
@@ -23,5 +23,6 @@ module ActiveModel
           attributes
         end
       end
+      alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
   end
 end
author	Rafael Mendonça França <rafaelmfranca@gmail.com>	2014-08-06 21:17:19 -0300
committer	Rafael Mendonça França <rafaelmfranca@gmail.com>	2014-08-18 14:07:37 -0300
commit	306dc1a499908ba105e6b0fe8b8e01824c5e04d7 (patch)
tree	a8ec4a562ea9ff154563214dc3dbe5f28b7f454e /activemodel
parent	e759b5277e404cb0ca8353d0c6eba8a5c471af41 (diff)
download	rails-306dc1a499908ba105e6b0fe8b8e01824c5e04d7.tar.gz rails-306dc1a499908ba105e6b0fe8b8e01824c5e04d7.tar.bz2 rails-306dc1a499908ba105e6b0fe8b8e01824c5e04d7.zip