diff options
| author | Ernie Miller <ernie@erniemiller.org> | 2012-06-08 16:32:08 -0400 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2012-06-11 14:00:05 -0700 |
| commit | cc2903da9f13c26ba3d94c149f31d4c53b94b2ed (patch) | |
| tree | 649f450b5d8660344cd31dbafa2f16336aba6a4d /activerecord/lib | |
| parent | 0ccdeeb6b589b486f9ffdfb56cbbf901ec955d88 (diff) | |
| download | rails-cc2903da9f13c26ba3d94c149f31d4c53b94b2ed.tar.gz rails-cc2903da9f13c26ba3d94c149f31d4c53b94b2ed.tar.bz2 rails-cc2903da9f13c26ba3d94c149f31d4c53b94b2ed.zip | |
Additional fix for CVE-2012-2661
While the patched PredicateBuilder in 3.1.5 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
Diffstat (limited to 'activerecord/lib')
| -rw-r--r-- | activerecord/lib/active_record/relation/predicate_builder.rb | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb index 9c84d8a6d5..6b118b4912 100644 --- a/activerecord/lib/active_record/relation/predicate_builder.rb +++ b/activerecord/lib/active_record/relation/predicate_builder.rb @@ -1,16 +1,16 @@ module ActiveRecord class PredicateBuilder # :nodoc: - def self.build_from_hash(engine, attributes, default_table, check_column = true) + def self.build_from_hash(engine, attributes, default_table, allow_table_name = true) predicates = attributes.map do |column, value| table = default_table - if value.is_a?(Hash) + if allow_table_name && value.is_a?(Hash) table = Arel::Table.new(column, engine) build_from_hash(engine, value, table, false) else column = column.to_s - if check_column && column.include?('.') + if allow_table_name && column.include?('.') table_name, column = column.split('.', 2) table = Arel::Table.new(table_name, engine) end |