diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2012-05-30 15:04:11 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2012-05-30 15:04:11 -0700 |
commit | 71f7917c553cdc9a0ee49e87af0efb7429759718 (patch) | |
tree | bc5c3b2a01128c1a08bd4bf5e7b0c5dd59a81e8b /activerecord/test/cases | |
parent | fe4dfdd64450662d882b47bf519d885edee453df (diff) | |
download | rails-71f7917c553cdc9a0ee49e87af0efb7429759718.tar.gz rails-71f7917c553cdc9a0ee49e87af0efb7429759718.tar.bz2 rails-71f7917c553cdc9a0ee49e87af0efb7429759718.zip |
predicate builder should not recurse for determining where columns.
Thanks to Ben Murphy for reporting this
CVE-2012-2661
Diffstat (limited to 'activerecord/test/cases')
-rw-r--r-- | activerecord/test/cases/relation/where_test.rb | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb new file mode 100644 index 0000000000..90c690e266 --- /dev/null +++ b/activerecord/test/cases/relation/where_test.rb @@ -0,0 +1,19 @@ +require "cases/helper" +require 'models/post' + +module ActiveRecord + class WhereTest < ActiveRecord::TestCase + fixtures :posts + + def test_where_error + assert_raises(ActiveRecord::StatementInvalid) do + Post.where(:id => { 'posts.author_id' => 10 }).first + end + end + + def test_where_with_table_name + post = Post.first + assert_equal post, Post.where(:posts => { 'id' => post.id }).first + end + end +end |