diff options
author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-06-05 12:34:07 -0300 |
---|---|---|
committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2014-07-02 12:49:01 -0300 |
commit | 1f2192e46d78ee0ba2b06373f2c24caf8440ff5b (patch) | |
tree | dbd23e6da3667fedaf5ccedb1f268a1470fc75c3 /activerecord/lib | |
parent | 297bff7f8f01fbda2a6bacaed4afb3d060292b9f (diff) | |
download | rails-1f2192e46d78ee0ba2b06373f2c24caf8440ff5b.tar.gz rails-1f2192e46d78ee0ba2b06373f2c24caf8440ff5b.tar.bz2 rails-1f2192e46d78ee0ba2b06373f2c24caf8440ff5b.zip |
Check against bit string values using multiline regexp
Fix CVE-2014-3482.
Diffstat (limited to 'activerecord/lib')
-rw-r--r-- | activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb index e98337e7d5..3cd65d0bf5 100644 --- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb +++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb @@ -442,8 +442,8 @@ module ActiveRecord when 'xml' then "xml '#{quote_string(value)}'" when /^bit/ case value - when /^[01]*$/ then "B'#{value}'" # Bit-string notation - when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation + when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation + when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation end else super @@ -1160,7 +1160,7 @@ module ActiveRecord FEATURE_NOT_SUPPORTED = "0A000" # :nodoc: def exec_no_cache(sql, binds) - @connection.async_exec(sql) + @connection.async_exec(sql, []) end def exec_cache(sql, binds) |