diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 11:37:48 -0800 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-01-08 11:37:48 -0800 |
| commit | 48810a52dfba26cef127168af447a9620d4555c3 (patch) | |
| tree | 5df95d8adbfcade0f7fedcc06e8e4fe1cdab6580 /activerecord | |
| parent | f64be7d0d825828098617e6b7c2645dda72d4c18 (diff) | |
| parent | 746dbd89faf8197e6d6f35f6e428a024923116a2 (diff) | |
| download | rails-48810a52dfba26cef127168af447a9620d4555c3.tar.gz rails-48810a52dfba26cef127168af447a9620d4555c3.tar.bz2 rails-48810a52dfba26cef127168af447a9620d4555c3.zip | |
Merge branch '3-2-sec' into 3-2-secmerge
* 3-2-sec:
bumping version
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Avoid Rack security warning no secret provided
Conflicts:
actionpack/CHANGELOG.md
activerecord/CHANGELOG.md
activesupport/CHANGELOG.md
Diffstat (limited to 'activerecord')
| -rw-r--r-- | activerecord/CHANGELOG.md | 5 | ||||
| -rw-r--r-- | activerecord/lib/active_record/relation/predicate_builder.rb | 7 | ||||
| -rw-r--r-- | activerecord/lib/active_record/version.rb | 2 | ||||
| -rw-r--r-- | activerecord/test/cases/relation/where_test.rb | 16 |
4 files changed, 26 insertions, 4 deletions
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 495390d16c..d9bb058284 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,4 +1,4 @@ -## Rails 3.2.11 (unreleased) +## Rails 3.2.12 (unreleased) * Fix undefined method `to_i` when calling `new` on a scope that uses an Array; Fix FloatDomainError when setting integer column to NaN. @@ -179,6 +179,9 @@ *Gabriel Sobrinho, Ricardo Henrique* +## Rails 3.2.11 ## + +* Fix querying with an empty hash *Damien Mathieu* [CVE-2013-0155] ## Rails 3.2.10 (Jan 2, 2013) ## diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb index 6b118b4912..b31fdfd981 100644 --- a/activerecord/lib/active_record/relation/predicate_builder.rb +++ b/activerecord/lib/active_record/relation/predicate_builder.rb @@ -6,7 +6,12 @@ module ActiveRecord if allow_table_name && value.is_a?(Hash) table = Arel::Table.new(column, engine) - build_from_hash(engine, value, table, false) + + if value.empty? + '1 = 2' + else + build_from_hash(engine, value, table, false) + end else column = column.to_s diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb index 36266e968b..ff9fa279f4 100644 --- a/activerecord/lib/active_record/version.rb +++ b/activerecord/lib/active_record/version.rb @@ -2,7 +2,7 @@ module ActiveRecord module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 10 + TINY = 11 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb index b9eef1d32f..80158332f9 100644 --- a/activerecord/test/cases/relation/where_test.rb +++ b/activerecord/test/cases/relation/where_test.rb @@ -1,9 +1,11 @@ require "cases/helper" require 'models/post' +require 'models/comment' +require 'models/edge' module ActiveRecord class WhereTest < ActiveRecord::TestCase - fixtures :posts + fixtures :posts, :edges def test_where_error assert_raises(ActiveRecord::StatementInvalid) do @@ -21,5 +23,17 @@ module ActiveRecord post = Post.first assert_equal post, Post.where(:posts => { 'id' => post.id }).first end + + def test_where_with_table_name_and_empty_hash + assert_equal 0, Post.where(:posts => {}).count + end + + def test_where_with_table_name_and_empty_array + assert_equal 0, Post.where(:id => []).count + end + + def test_where_with_empty_hash_and_no_foreign_key + assert_equal 0, Edge.where(:sink => {}).count + end end end |