limit() should sanitize limit values

This fixes CVE-2011-0448
author: Aaron Patterson <aaron.patterson@gmail.com> 2010-12-07 09:49:37 -0800
committer: Aaron Patterson <aaron.patterson@gmail.com> 2011-02-08 14:21:12 -0800
commit: 0b58a7ff420d7ef4b643c521a62be7259dd2f5cb (patch)
tree: d5314aa04b853619912bec01f47526cddb1ef2f8 /activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
parent: 6b1018526fb304727ee4191afc2d8a5e29e49eea (diff)
download: rails-0b58a7ff420d7ef4b643c521a62be7259dd2f5cb.tar.gz
rails-0b58a7ff420d7ef4b643c521a62be7259dd2f5cb.tar.bz2
rails-0b58a7ff420d7ef4b643c521a62be7259dd2f5cb.zip
1 files changed, 15 insertions, 15 deletions
diff --git a/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb b/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
index 01e53b46c8..5f30b972f5 100644
--- a/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
+++ b/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
@@ -276,6 +276,21 @@ module ActiveRecord
         "WHERE #{quoted_primary_key} IN (SELECT #{quoted_primary_key} FROM #{quoted_table_name} #{where_sql})"
       end
 
+      # Sanitizes the given LIMIT parameter in order to prevent SQL injection.
+      #
+      # +limit+ may be anything that can evaluate to a string via #to_s. It
+      # should look like an integer, or a comma-delimited list of integers.
+      #
+      # Returns the sanitized limit parameter, either as an integer, or as a
+      # string which contains a comma-delimited list of integers.
+      def sanitize_limit(limit)
+        if limit.to_s =~ /,/
+          Arel.sql limit.to_s.split(',').map{ |i| Integer(i) }.join(',')
+        else
+          Integer(limit)
+        end
+      end
+
       protected
         # Returns an array of record hashes with the column names as keys and
         # column values as values.
@@ -299,21 +314,6 @@ module ActiveRecord
           update_sql(sql, name)
         end
 
-        # Sanitizes the given LIMIT parameter in order to prevent SQL injection.
-        #
-        # +limit+ may be anything that can evaluate to a string via #to_s. It
-        # should look like an integer, or a comma-delimited list of integers.
-        #
-        # Returns the sanitized limit parameter, either as an integer, or as a
-        # string which contains a comma-delimited list of integers.
-        def sanitize_limit(limit)
-          if limit.to_s =~ /,/
-            limit.to_s.split(',').map{ |i| i.to_i }.join(',')
-          else
-            limit.to_i
-          end
-        end
-
         # Send a rollback message to all records after they have been rolled back. If rollback
         # is false, only rollback records since the last save point.
         def rollback_transaction_records(rollback) #:nodoc
author	Aaron Patterson <aaron.patterson@gmail.com>	2010-12-07 09:49:37 -0800
committer	Aaron Patterson <aaron.patterson@gmail.com>	2011-02-08 14:21:12 -0800
commit	0b58a7ff420d7ef4b643c521a62be7259dd2f5cb (patch)
tree	d5314aa04b853619912bec01f47526cddb1ef2f8 /activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
parent	6b1018526fb304727ee4191afc2d8a5e29e49eea (diff)
download	rails-0b58a7ff420d7ef4b643c521a62be7259dd2f5cb.tar.gz rails-0b58a7ff420d7ef4b643c521a62be7259dd2f5cb.tar.bz2 rails-0b58a7ff420d7ef4b643c521a62be7259dd2f5cb.zip