predicate builder should not recurse for determining where columns.

Thanks to Ben Murphy for reporting this CVE-2012-2661
author: Aaron Patterson <aaron.patterson@gmail.com> 2012-05-30 15:09:13 -0700
committer: Aaron Patterson <aaron.patterson@gmail.com> 2012-05-30 15:09:13 -0700
commit: 9340f89849606dba02f44038171f3837f883fd4e (patch)
tree: 1c60619cf2a565ce998beb81c91457999b69dd45 /activerecord/lib/active_record/relation
parent: 344ea048659f2ba47012f0330183ea4a96752732 (diff)
download: rails-9340f89849606dba02f44038171f3837f883fd4e.tar.gz
rails-9340f89849606dba02f44038171f3837f883fd4e.tar.bz2
rails-9340f89849606dba02f44038171f3837f883fd4e.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
index 6a0cdd5917..cb8f903474 100644
--- a/activerecord/lib/active_record/relation/predicate_builder.rb
+++ b/activerecord/lib/active_record/relation/predicate_builder.rb
@@ -6,7 +6,7 @@ module ActiveRecord
 
         if value.is_a?(Hash)
           table = Arel::Table.new(column, engine)
-          build_from_hash(engine, value, table)
+          value.map { |k,v| build(table[k.to_sym], v) }
         else
           column = column.to_s
author	Aaron Patterson <aaron.patterson@gmail.com>	2012-05-30 15:09:13 -0700
committer	Aaron Patterson <aaron.patterson@gmail.com>	2012-05-30 15:09:13 -0700
commit	9340f89849606dba02f44038171f3837f883fd4e (patch)
tree	1c60619cf2a565ce998beb81c91457999b69dd45 /activerecord/lib/active_record/relation
parent	344ea048659f2ba47012f0330183ea4a96752732 (diff)
download	rails-9340f89849606dba02f44038171f3837f883fd4e.tar.gz rails-9340f89849606dba02f44038171f3837f883fd4e.tar.bz2 rails-9340f89849606dba02f44038171f3837f883fd4e.zip