predicate builder should not recurse for determining where columns.

Thanks to Ben Murphy for reporting this CVE-2012-2661
author: Aaron Patterson <aaron.patterson@gmail.com> 2012-05-30 15:04:11 -0700
committer: Aaron Patterson <aaron.patterson@gmail.com> 2012-05-30 15:04:11 -0700
commit: 71f7917c553cdc9a0ee49e87af0efb7429759718 (patch)
tree: bc5c3b2a01128c1a08bd4bf5e7b0c5dd59a81e8b /activerecord/test/cases/relation
parent: fe4dfdd64450662d882b47bf519d885edee453df (diff)
download: rails-71f7917c553cdc9a0ee49e87af0efb7429759718.tar.gz
rails-71f7917c553cdc9a0ee49e87af0efb7429759718.tar.bz2
rails-71f7917c553cdc9a0ee49e87af0efb7429759718.zip
1 files changed, 19 insertions, 0 deletions
diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
new file mode 100644
index 0000000000..90c690e266
--- /dev/null
+++ b/activerecord/test/cases/relation/where_test.rb
@@ -0,0 +1,19 @@
+require "cases/helper"
+require 'models/post'
+
+module ActiveRecord
+  class WhereTest < ActiveRecord::TestCase
+    fixtures :posts
+
+    def test_where_error
+      assert_raises(ActiveRecord::StatementInvalid) do
+        Post.where(:id => { 'posts.author_id' => 10 }).first
+      end
+    end
+
+    def test_where_with_table_name
+      post = Post.first
+      assert_equal post, Post.where(:posts => { 'id' => post.id }).first
+    end
+  end
+end
author	Aaron Patterson <aaron.patterson@gmail.com>	2012-05-30 15:04:11 -0700
committer	Aaron Patterson <aaron.patterson@gmail.com>	2012-05-30 15:04:11 -0700
commit	71f7917c553cdc9a0ee49e87af0efb7429759718 (patch)
tree	bc5c3b2a01128c1a08bd4bf5e7b0c5dd59a81e8b /activerecord/test/cases/relation
parent	fe4dfdd64450662d882b47bf519d885edee453df (diff)
download	rails-71f7917c553cdc9a0ee49e87af0efb7429759718.tar.gz rails-71f7917c553cdc9a0ee49e87af0efb7429759718.tar.bz2 rails-71f7917c553cdc9a0ee49e87af0efb7429759718.zip