diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-04 12:02:22 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 09:08:26 -0800 |
commit | d5cd97baa44fa66dc681041a213092b45c57c32f (patch) | |
tree | f5817abd953a86aceb4710f93337405db1306ae1 /activerecord/lib | |
parent | 95fe9ef945a35f56fa1c3ef356aec4a3b868937c (diff) | |
download | rails-d5cd97baa44fa66dc681041a213092b45c57c32f.tar.gz rails-d5cd97baa44fa66dc681041a213092b45c57c32f.tar.bz2 rails-d5cd97baa44fa66dc681041a213092b45c57c32f.zip |
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Diffstat (limited to 'activerecord/lib')
-rw-r--r-- | activerecord/lib/active_record/relation/predicate_builder.rb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb index 6b118b4912..b31fdfd981 100644 --- a/activerecord/lib/active_record/relation/predicate_builder.rb +++ b/activerecord/lib/active_record/relation/predicate_builder.rb @@ -6,7 +6,12 @@ module ActiveRecord if allow_table_name && value.is_a?(Hash) table = Arel::Table.new(column, engine) - build_from_hash(engine, value, table, false) + + if value.empty? + '1 = 2' + else + build_from_hash(engine, value, table, false) + end else column = column.to_s |