Whitelist the methods which are called by multiparameter attribute assignment.

This prevents users from causing NoMethodErrors and the like by editing the parameter names, and closes a potential exploit of CVE-2009-1904.
author: Michael Koziarski <michael@koziarski.com> 2009-06-10 12:10:13 +1200
committer: Michael Koziarski <michael@koziarski.com> 2009-06-10 12:12:21 +1200
commit: c014c3e5c14beb71fa7c67f15448386d0ffaba28 (patch)
tree: 6463fc9f189332286f0516b2b1d11d5084b61818 /activerecord/lib/active_record/base.rb
parent: b6fde6b4801fae26cdd0e790f6bfd06e7afe9941 (diff)
download: rails-c014c3e5c14beb71fa7c67f15448386d0ffaba28.tar.gz
rails-c014c3e5c14beb71fa7c67f15448386d0ffaba28.tar.bz2
rails-c014c3e5c14beb71fa7c67f15448386d0ffaba28.zip
1 files changed, 8 insertions, 8 deletions
diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
index ec49d40a12..98898e9c18 100755
--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -3043,11 +3043,11 @@ module ActiveRecord #:nodoc:
       def execute_callstack_for_multiparameter_attributes(callstack)
         errors = []
         callstack.each do |name, values|
-          klass = (self.class.reflect_on_aggregation(name.to_sym) || column_for_attribute(name)).klass
-          if values.empty?
-            send(name + "=", nil)
-          else
-            begin
+          begin
+            klass = (self.class.reflect_on_aggregation(name.to_sym) || column_for_attribute(name)).klass
+            if values.empty?
+              send(name + "=", nil)
+            else
               value = if Time == klass
                 instantiate_time_object(name, values)
               elsif Date == klass
@@ -3061,9 +3061,9 @@ module ActiveRecord #:nodoc:
               end
 
               send(name + "=", value)
-            rescue => ex
-              errors << AttributeAssignmentError.new("error on assignment #{values.inspect} to #{name}", ex, name)
             end
+          rescue => ex
+            errors << AttributeAssignmentError.new("error on assignment #{values.inspect} to #{name}", ex, name)
           end
         end
         unless errors.empty?
@@ -3089,7 +3089,7 @@ module ActiveRecord #:nodoc:
       end
 
       def type_cast_attribute_value(multiparameter_name, value)
-        multiparameter_name =~ /\([0-9]*([a-z])\)/ ? value.send("to_" + $1) : value
+        multiparameter_name =~ /\([0-9]*([if])\)/ ? value.send("to_" + $1) : value
       end
 
       def find_parameter_position(multiparameter_name)
author	Michael Koziarski <michael@koziarski.com>	2009-06-10 12:10:13 +1200
committer	Michael Koziarski <michael@koziarski.com>	2009-06-10 12:12:21 +1200
commit	c014c3e5c14beb71fa7c67f15448386d0ffaba28 (patch)
tree	6463fc9f189332286f0516b2b1d11d5084b61818 /activerecord/lib/active_record/base.rb
parent	b6fde6b4801fae26cdd0e790f6bfd06e7afe9941 (diff)
download	rails-c014c3e5c14beb71fa7c67f15448386d0ffaba28.tar.gz rails-c014c3e5c14beb71fa7c67f15448386d0ffaba28.tar.bz2 rails-c014c3e5c14beb71fa7c67f15448386d0ffaba28.zip