diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-05 14:52:08 -0800 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-15 17:47:28 -0700 |
| commit | f980289fd2c1b9073a94b5d49b780a49f5e2933c (patch) | |
| tree | 13d708e3d92f2abdd877530239a1c1fc64408234 /activerecord/lib | |
| parent | 488699166c3558963fa82d4689a35f8c3fd93f47 (diff) | |
| download | rails-f980289fd2c1b9073a94b5d49b780a49f5e2933c.tar.gz rails-f980289fd2c1b9073a94b5d49b780a49f5e2933c.tar.bz2 rails-f980289fd2c1b9073a94b5d49b780a49f5e2933c.zip | |
stop calling to_sym when building arel nodes [CVE-2013-1854]
Diffstat (limited to 'activerecord/lib')
| -rw-r--r-- | activerecord/lib/active_record/relation.rb | 2 | ||||
| -rw-r--r-- | activerecord/lib/active_record/relation/predicate_builder.rb | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/activerecord/lib/active_record/relation.rb b/activerecord/lib/active_record/relation.rb index 4b3b30d6ed..ae1a57545e 100644 --- a/activerecord/lib/active_record/relation.rb +++ b/activerecord/lib/active_record/relation.rb @@ -464,7 +464,7 @@ module ActiveRecord node.left.relation.name == table_name } - Hash[equalities.map { |where| [where.left.name, where.right] }] + Hash[equalities.map { |where| [where.left.name, where.right] }].with_indifferent_access end def scope_for_create diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb index b31fdfd981..413b81cc69 100644 --- a/activerecord/lib/active_record/relation/predicate_builder.rb +++ b/activerecord/lib/active_record/relation/predicate_builder.rb @@ -20,7 +20,7 @@ module ActiveRecord table = Arel::Table.new(table_name, engine) end - attribute = table[column.to_sym] + attribute = table[column] case value when ActiveRecord::Relation |