9 files changed, 59 insertions, 10 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/flash.rb b/actionpack/lib/action_dispatch/middleware/flash.rb
index 4821d2a899..e90f8b9ce6 100644
--- a/actionpack/lib/action_dispatch/middleware/flash.rb
+++ b/actionpack/lib/action_dispatch/middleware/flash.rb
@@ -10,7 +10,7 @@ module ActionDispatch
     end
   end
 
-  # The flash provides a way to pass temporary objects between actions. Anything you place in the flash will be exposed
+  # The flash provides a way to pass temporary primitive-types (String, Array, Hash) between actions. Anything you place in the flash will be exposed
   # to the very next action and then cleared out. This is a great way of doing notices and alerts, such as a create
   # action that sets <tt>flash[:notice] = "Post successfully created"</tt> before redirecting to a display action that can
   # then expose the flash to its template. Actually, that exposure is automatically done.
@@ -37,8 +37,11 @@ module ActionDispatch
   #   flash.alert = "You must be logged in"
   #   flash.notice = "Post successfully created"
   #
-  # This example just places a string in the flash, but you can put any object in there. And of course, you can put as
-  # many as you like at a time too. Just remember: They'll be gone by the time the next action has been performed.
+  # This example places a string in the flash. And of course, you can put as many as you like at a time too. If you want to pass
+  # non-primitive types, you will have to handle that in your application. Example: To show messages with links, you will have to
+  # use sanitize helper.
+  #
+  # Just remember: They'll be gone by the time the next action has been performed.
   #
   # See docs on the FlashHash class for more details about the flash.
   class Flash
diff --git a/actionpack/test/dispatch/request_test.rb b/actionpack/test/dispatch/request_test.rb
index e4950a5d6b..9cbd53002b 100644
--- a/actionpack/test/dispatch/request_test.rb
+++ b/actionpack/test/dispatch/request_test.rb
@@ -1066,7 +1066,7 @@ class RequestEtag < BaseRequestTest
   end
 end
 
-class RequestVarient < BaseRequestTest
+class RequestVariant < BaseRequestTest
   test "setting variant" do
     request = stub_request
 
diff --git a/activerecord/lib/active_record/attribute_set.rb b/activerecord/lib/active_record/attribute_set.rb
index 2889d59328..64df6f6358 100644
--- a/activerecord/lib/active_record/attribute_set.rb
+++ b/activerecord/lib/active_record/attribute_set.rb
@@ -52,6 +52,12 @@ module ActiveRecord
       super
     end
 
+    def reset(key)
+      if include?(key)
+        write_from_database(key, nil)
+      end
+    end
+
     def ensure_initialized(key)
       unless self[key].initialized?
         write_from_database(key, nil)
diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
index f9541b437a..60b0ee526e 100644
--- a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
@@ -23,7 +23,8 @@ module ActiveRecord
           case value
           when Range
             if /range$/ =~ sql_type
-              "'#{PostgreSQLColumn.range_to_string(value)}'::#{sql_type}"
+              escaped = quote_string(PostgreSQLColumn.range_to_string(value))
+              "'#{escaped}'::#{sql_type}"
             else
               super
             end
@@ -52,8 +53,8 @@ module ActiveRecord
             when 'xml'   then "xml '#{quote_string(value)}'"
             when /^bit/
               case value
-              when /^[01]*$/      then "B'#{value}'" # Bit-string notation
-              when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
+              when /\A[01]*\Z/      then "B'#{value}'" # Bit-string notation
+              when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
               end
             else
               super
diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
index a164758640..8e31e165b1 100644
--- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
@@ -569,7 +569,7 @@ module ActiveRecord
         end
 
         def exec_no_cache(sql, name, binds)
-          log(sql, name, binds) { @connection.async_exec(sql) }
+          log(sql, name, binds) { @connection.async_exec(sql, []) }
         end
 
         def exec_cache(sql, name, binds)
diff --git a/activerecord/lib/active_record/core.rb b/activerecord/lib/active_record/core.rb
index 8be5b340de..b11c4f804f 100644
--- a/activerecord/lib/active_record/core.rb
+++ b/activerecord/lib/active_record/core.rb
@@ -315,9 +315,8 @@ module ActiveRecord
 
     ##
     def initialize_dup(other) # :nodoc:
-      pk = self.class.primary_key
       @attributes = @attributes.dup
-      @attributes.write_from_database(pk, nil)
+      @attributes.reset(self.class.primary_key)
 
       run_callbacks(:initialize) unless _initialize_callbacks.empty?
 
diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
index 218c59247e..6f00c0d333 100644
--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
@@ -57,6 +57,17 @@ module ActiveRecord
           assert_equal "'1970-01-01 00:00:00.000000'", @conn.quote(Time.at(0))
           assert_equal "'1970-01-01 00:00:00.000000'", @conn.quote(Time.at(0).to_datetime)
         end
+
+        def test_quote_range
+          range = "1,2]'; SELECT * FROM users; --".."a"
+          c = PostgreSQLColumn.new(nil, nil, OID::Range.new(Type::Integer.new, :int8range))
+          assert_equal "'[1,2]''; SELECT * FROM users; --,a]'::int8range", @conn.quote(range, c)
+        end
+
+        def test_quote_bit_string
+          c = PostgreSQLColumn.new(nil, 1, OID::Bit.new)
+          assert_equal nil, @conn.quote("'); SELECT * FORM users; /*\n01\n*/--", c)
+        end
       end
     end
   end
diff --git a/activerecord/test/cases/adapters/postgresql/range_test.rb b/activerecord/test/cases/adapters/postgresql/range_test.rb
index 0f6e39322c..02d0a9b483 100644
--- a/activerecord/test/cases/adapters/postgresql/range_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/range_test.rb
@@ -262,6 +262,23 @@ _SQL
       assert_raises(ArgumentError) { PostgresqlRange.create!(float_range: "(0.5, 0.7]") }
     end
 
+    def test_update_all_with_ranges
+      PostgresqlRange.create!
+
+      PostgresqlRange.update_all(int8_range: 1..100)
+
+      assert_equal 1...101, PostgresqlRange.first.int8_range
+    end
+
+    def test_ranges_correctly_escape_input
+      e = assert_raises(ActiveRecord::StatementInvalid) do
+        range = "1,2]'; SELECT * FROM users; --".."a"
+        PostgresqlRange.update_all(int8_range: range)
+      end
+
+      assert e.message.starts_with?("PG::InvalidTextRepresentation")
+    end
+
     private
       def assert_equal_round_trip(range, attribute, value)
         round_trip(range, attribute, value)
diff --git a/activerecord/test/cases/dup_test.rb b/activerecord/test/cases/dup_test.rb
index 409d9a82e2..638cffe0e6 100644
--- a/activerecord/test/cases/dup_test.rb
+++ b/activerecord/test/cases/dup_test.rb
@@ -141,5 +141,17 @@ module ActiveRecord
     ensure
       Topic.default_scopes = prev_default_scopes
     end
+
+    def test_dup_without_primary_key
+      klass = Class.new(ActiveRecord::Base) do
+        self.table_name = 'parrots_pirates'
+      end
+
+      record = klass.create!
+
+      assert_nothing_raised do
+        record.dup
+      end
+    end
   end
 end