aboutsummaryrefslogtreecommitdiffstats
path: root/activerecord/test/cases
diff options
context:
space:
mode:
authorRafael Mendonça França <rafaelmfranca@gmail.com>2014-06-05 14:08:40 -0300
committerRafael Mendonça França <rafaelmfranca@gmail.com>2014-07-02 14:45:50 -0300
commit7df68a300c9395e3edf8c603b6fea3db9eaff003 (patch)
treed7cbf866e9bfa06fbf0c8486f31ce3e6d92578bb /activerecord/test/cases
parentf838caf350c3405ebdf10a6c6171adfa0a840905 (diff)
downloadrails-7df68a300c9395e3edf8c603b6fea3db9eaff003.tar.gz
rails-7df68a300c9395e3edf8c603b6fea3db9eaff003.tar.bz2
rails-7df68a300c9395e3edf8c603b6fea3db9eaff003.zip
Fix SQL injection when querying against ranges and bitstrings
Fix CVE-2014-3483 and protect against CVE-2014-3482.
Diffstat (limited to 'activerecord/test/cases')
-rw-r--r--activerecord/test/cases/adapters/postgresql/quoting_test.rb11
1 files changed, 11 insertions, 0 deletions
diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
index 218c59247e..134c037a83 100644
--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
@@ -57,6 +57,17 @@ module ActiveRecord
assert_equal "'1970-01-01 00:00:00.000000'", @conn.quote(Time.at(0))
assert_equal "'1970-01-01 00:00:00.000000'", @conn.quote(Time.at(0).to_datetime)
end
+
+ def test_quote_range
+ range = "1,2]'; SELECT * FROM users; --".."a"
+ c = PostgreSQLColumn.new(nil, nil, OID::Range.new(Type::Integer.new, :int8range))
+ assert_equal "[1,2]''; SELECT * FROM users; --,a]::int8range", @conn.quote(range, c)
+ end
+
+ def test_quote_bit_string
+ c = PostgreSQLColumn.new(nil, 1, OID::Bit.new)
+ assert_equal nil, @conn.quote("'); SELECT * FORM users; /*\n01\n*/--", c)
+ end
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-10 07:18:43 +0000