Regex fix for mattr_accessor validation

Change ^ and $ operators to \A and \z to prevent code injection after the line breaks
author: Aliaksandr Buhayeu <aliaksandr.buhayeu@gmail.com> 2015-06-17 14:58:36 +0300
committer: Aliaksandr Buhayeu <aliaksandr.buhayeu@gmail.com> 2015-10-01 21:27:58 +0300
commit: 3005c25a36bcf30e08940a6cd0414752b35ba971 (patch)
tree: 702e6dc3bade409740989a49dde4ced2677ffbd9 /activesupport
parent: f78650d56e75ee266a17e12cd97a136d10484a67 (diff)
download: rails-3005c25a36bcf30e08940a6cd0414752b35ba971.tar.gz
rails-3005c25a36bcf30e08940a6cd0414752b35ba971.tar.bz2
rails-3005c25a36bcf30e08940a6cd0414752b35ba971.zip
2 files changed, 16 insertions, 2 deletions
diff --git a/activesupport/lib/active_support/core_ext/module/attribute_accessors.rb b/activesupport/lib/active_support/core_ext/module/attribute_accessors.rb
index a084177b9f..bf175a8a70 100644
--- a/activesupport/lib/active_support/core_ext/module/attribute_accessors.rb
+++ b/activesupport/lib/active_support/core_ext/module/attribute_accessors.rb
@@ -53,7 +53,7 @@ class Module
   def mattr_reader(*syms)
     options = syms.extract_options!
     syms.each do |sym|
-      raise NameError.new("invalid attribute name: #{sym}") unless sym =~ /^[_A-Za-z]\w*$/
+      raise NameError.new("invalid attribute name: #{sym}") unless sym =~ /\A[_A-Za-z]\w*\z/
       class_eval(<<-EOS, __FILE__, __LINE__ + 1)
         @@#{sym} = nil unless defined? @@#{sym}
 
@@ -119,7 +119,7 @@ class Module
   def mattr_writer(*syms)
     options = syms.extract_options!
     syms.each do |sym|
-      raise NameError.new("invalid attribute name: #{sym}") unless sym =~ /^[_A-Za-z]\w*$/
+      raise NameError.new("invalid attribute name: #{sym}") unless sym =~ /\A[_A-Za-z]\w*\z/
       class_eval(<<-EOS, __FILE__, __LINE__ + 1)
         @@#{sym} = nil unless defined? @@#{sym}
 
diff --git a/activesupport/test/core_ext/module/attribute_accessor_test.rb b/activesupport/test/core_ext/module/attribute_accessor_test.rb
index 128c5e3d1a..0b0f3a2808 100644
--- a/activesupport/test/core_ext/module/attribute_accessor_test.rb
+++ b/activesupport/test/core_ext/module/attribute_accessor_test.rb
@@ -69,6 +69,20 @@ class ModuleAttributeAccessorTest < ActiveSupport::TestCase
       end
     end
     assert_equal "invalid attribute name: 1nvalid", exception.message
+
+    exception = assert_raises NameError do
+      Class.new do
+        mattr_reader "valid_part\ninvalid_part"
+      end
+    end
+    assert_equal "invalid attribute name: valid_part\ninvalid_part", exception.message
+
+    exception = assert_raises NameError do
+      Class.new do
+        mattr_writer "valid_part\ninvalid_part"
+      end
+    end
+    assert_equal "invalid attribute name: valid_part\ninvalid_part", exception.message
   end
 
   def test_should_use_default_value_if_block_passed
author	Aliaksandr Buhayeu <aliaksandr.buhayeu@gmail.com>	2015-06-17 14:58:36 +0300
committer	Aliaksandr Buhayeu <aliaksandr.buhayeu@gmail.com>	2015-10-01 21:27:58 +0300
commit	3005c25a36bcf30e08940a6cd0414752b35ba971 (patch)
tree	702e6dc3bade409740989a49dde4ced2677ffbd9 /activesupport
parent	f78650d56e75ee266a17e12cd97a136d10484a67 (diff)
download	rails-3005c25a36bcf30e08940a6cd0414752b35ba971.tar.gz rails-3005c25a36bcf30e08940a6cd0414752b35ba971.tar.bz2 rails-3005c25a36bcf30e08940a6cd0414752b35ba971.zip