diff options
author | Ben Toews <mastahyeti@gmail.com> | 2017-10-18 10:21:45 -0600 |
---|---|---|
committer | Matthew Draper <matthew@trebex.net> | 2017-11-09 22:42:15 +1030 |
commit | 8ef71ac4a119a4c03d78db2372b41ddcc8a95035 (patch) | |
tree | 69133ce1a019e79f121559d3e4fdf71b760c5148 /activerecord/lib/active_record/sanitization.rb | |
parent | b76cc29865fb69389ffdb7bd9f8085aa86354f82 (diff) | |
download | rails-8ef71ac4a119a4c03d78db2372b41ddcc8a95035.tar.gz rails-8ef71ac4a119a4c03d78db2372b41ddcc8a95035.tar.bz2 rails-8ef71ac4a119a4c03d78db2372b41ddcc8a95035.zip |
push order arg checks down to allow for binds
Diffstat (limited to 'activerecord/lib/active_record/sanitization.rb')
-rw-r--r-- | activerecord/lib/active_record/sanitization.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/activerecord/lib/active_record/sanitization.rb b/activerecord/lib/active_record/sanitization.rb index 4caf1145f0..232743d3b6 100644 --- a/activerecord/lib/active_record/sanitization.rb +++ b/activerecord/lib/active_record/sanitization.rb @@ -63,13 +63,17 @@ module ActiveRecord # # => "id ASC" def sanitize_sql_for_order(condition) # :doc: if condition.is_a?(Array) && condition.first.to_s.include?("?") + enforce_raw_sql_whitelist([condition.first], + whitelist: AttributeMethods::ClassMethods::COLUMN_NAME_ORDER_WHITELIST + ) + # Ensure we aren't dealing with a subclass of String that might # override methods we use (eg. Arel::Nodes::SqlLiteral). if condition.first.kind_of?(String) && !condition.first.instance_of?(String) condition = [String.new(condition.first), *condition[1..-1]] end - sanitize_sql_array(condition) + Arel.sql(sanitize_sql_array(condition)) else condition end |