diff options
| author | Michael Koziarski <michael@koziarski.com> | 2010-10-15 10:25:49 +1300 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2010-10-15 10:27:33 +1300 |
| commit | 9ebe582830fd0386e09a917d81eb6cff494cd590 (patch) | |
| tree | 423e057e1f400ecab9d6fec87012438fcf7f1af2 /activerecord/lib | |
| parent | 13f7f89bda503ccb1abc8dc78fbe36c44d902c49 (diff) | |
| download | rails-9ebe582830fd0386e09a917d81eb6cff494cd590.tar.gz rails-9ebe582830fd0386e09a917d81eb6cff494cd590.tar.bz2 rails-9ebe582830fd0386e09a917d81eb6cff494cd590.zip | |
Revert 0c0b0aa0f223523331afdc157fb3992a121bf497 which introduced a security vulnerability.
This addresses CVE-2010-3933
Conflicts:
activerecord/lib/active_record/nested_attributes.rb
Diffstat (limited to 'activerecord/lib')
| -rw-r--r-- | activerecord/lib/active_record/nested_attributes.rb | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/activerecord/lib/active_record/nested_attributes.rb b/activerecord/lib/active_record/nested_attributes.rb index bdd940f3ee..aca91c907d 100644 --- a/activerecord/lib/active_record/nested_attributes.rb +++ b/activerecord/lib/active_record/nested_attributes.rb @@ -324,9 +324,7 @@ module ActiveRecord assign_to_or_mark_for_destruction(record, attributes, options[:allow_destroy]) unless call_reject_if(association_name, attributes) elsif attributes['id'] - existing_record = self.class.reflect_on_association(association_name).klass.find(attributes['id']) - assign_to_or_mark_for_destruction(existing_record, attributes, options[:allow_destroy]) - self.send(association_name.to_s+'=', existing_record) + raise_nested_attributes_record_not_found(association_name, attributes['id']) elsif !reject_new_record?(association_name, attributes) method = "build_#{association_name}" @@ -402,15 +400,12 @@ module ActiveRecord association.build(attributes.except(*UNASSIGNABLE_KEYS)) end - elsif existing_records.count == 0 #Existing record but not yet associated - existing_record = self.class.reflect_on_association(association_name).klass.find(attributes['id']) - association.send(:add_record_to_target_with_callbacks, existing_record) if !association.loaded? && !call_reject_if(association_name, attributes) - assign_to_or_mark_for_destruction(existing_record, attributes, options[:allow_destroy]) - elsif existing_record = existing_records.detect { |record| record.id.to_s == attributes['id'].to_s } association.send(:add_record_to_target_with_callbacks, existing_record) if !association.loaded? && !call_reject_if(association_name, attributes) assign_to_or_mark_for_destruction(existing_record, attributes, options[:allow_destroy]) + else + raise_nested_attributes_record_not_found(association_name, attributes['id']) end end end @@ -430,7 +425,7 @@ module ActiveRecord ConnectionAdapters::Column.value_to_boolean(hash['_destroy']) end - # Determines if a new record should be built by checking for + # Determines if a new record should be build by checking for # has_destroy_flag? or if a <tt>:reject_if</tt> proc exists for this # association and evaluates to +true+. def reject_new_record?(association_name, attributes) @@ -446,5 +441,9 @@ module ActiveRecord end end + def raise_nested_attributes_record_not_found(association_name, record_id) + reflection = self.class.reflect_on_association(association_name) + raise RecordNotFound, "Couldn't find #{reflection.klass.name} with ID=#{record_id} for #{self.class.name} with ID=#{id}" + end end end |