diff options
author | Michael Koziarski <michael@koziarski.com> | 2009-06-10 12:10:13 +1200 |
---|---|---|
committer | Michael Koziarski <michael@koziarski.com> | 2009-06-10 12:12:21 +1200 |
commit | c014c3e5c14beb71fa7c67f15448386d0ffaba28 (patch) | |
tree | 6463fc9f189332286f0516b2b1d11d5084b61818 /activerecord/lib/active_record/base.rb | |
parent | b6fde6b4801fae26cdd0e790f6bfd06e7afe9941 (diff) | |
download | rails-c014c3e5c14beb71fa7c67f15448386d0ffaba28.tar.gz rails-c014c3e5c14beb71fa7c67f15448386d0ffaba28.tar.bz2 rails-c014c3e5c14beb71fa7c67f15448386d0ffaba28.zip |
Whitelist the methods which are called by multiparameter attribute assignment.
This prevents users from causing NoMethodErrors and the like by editing the parameter names, and closes a potential exploit of CVE-2009-1904.
Diffstat (limited to 'activerecord/lib/active_record/base.rb')
-rwxr-xr-x | activerecord/lib/active_record/base.rb | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb index ec49d40a12..98898e9c18 100755 --- a/activerecord/lib/active_record/base.rb +++ b/activerecord/lib/active_record/base.rb @@ -3043,11 +3043,11 @@ module ActiveRecord #:nodoc: def execute_callstack_for_multiparameter_attributes(callstack) errors = [] callstack.each do |name, values| - klass = (self.class.reflect_on_aggregation(name.to_sym) || column_for_attribute(name)).klass - if values.empty? - send(name + "=", nil) - else - begin + begin + klass = (self.class.reflect_on_aggregation(name.to_sym) || column_for_attribute(name)).klass + if values.empty? + send(name + "=", nil) + else value = if Time == klass instantiate_time_object(name, values) elsif Date == klass @@ -3061,9 +3061,9 @@ module ActiveRecord #:nodoc: end send(name + "=", value) - rescue => ex - errors << AttributeAssignmentError.new("error on assignment #{values.inspect} to #{name}", ex, name) end + rescue => ex + errors << AttributeAssignmentError.new("error on assignment #{values.inspect} to #{name}", ex, name) end end unless errors.empty? @@ -3089,7 +3089,7 @@ module ActiveRecord #:nodoc: end def type_cast_attribute_value(multiparameter_name, value) - multiparameter_name =~ /\([0-9]*([a-z])\)/ ? value.send("to_" + $1) : value + multiparameter_name =~ /\([0-9]*([if])\)/ ? value.send("to_" + $1) : value end def find_parameter_position(multiparameter_name) |