4 files changed, 79 insertions, 2 deletions

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 458b9d77c2..7efd75a239 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,64 @@
+*   Default scopes are no longer overriden by chained conditions.
+
+    Before this change when you defined a `default_scope` in a model
+    it was overriden by chained conditions in the same field. Now it
+    is merged like any other scope.
+
+    Before:
+
+        class User < ActiveRecord::Base
+          default_scope { where state: 'pending' }
+          scope :active, -> { where state: 'active' }
+          scope :inactive, -> { where state: 'inactive' }
+        end
+
+        User.all
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
+
+        User.active
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'active'
+
+        User.where(state: 'inactive')
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'inactive'
+
+    After:
+
+        class User < ActiveRecord::Base
+          default_scope { where state: 'pending' }
+          scope :active, -> { where state: 'active' }
+          scope :inactive, -> { where state: 'inactive' }
+        end
+
+        User.all
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
+
+        User.active
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'pending' AND "users"."state" = 'active'
+
+        User.where(state: 'inactive')
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'pending' AND "users"."state" = 'inactive'
+
+    To get the previous behavior it is needed to explicitly remove the
+    `default_scope` condition using `unscoped`, `unscope`, `rewhere` or
+    `except`.
+
+    Example:
+
+        class User < ActiveRecord::Base
+          default_scope { where state: 'pending' }
+          scope :active, -> { unscope(where: :state).where(state: 'active') }
+          scope :inactive, -> { rewhere state: 'inactive' }
+        end
+
+        User.all
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
+
+        User.active
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'active'
+
+        User.inactive
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'inactive'
+
 *   Perform necessary deeper encoding when hstore is inside an array.
 
     Fixes #11135.
@@ -548,6 +609,10 @@
 
     *Kuldeep Aggarwal*
 
+*   Correctly escape PostgreSQL arrays.
+
+    Fixes: CVE-2014-0080
+
 *   `Relation` no longer has mutator methods like `#map!` and `#delete_if`. Convert
     to an `Array` by calling `#to_a` before using these methods.
 
diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb b/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb
index 3a3b500b1f..551a9289c3 100644
--- a/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb
@@ -142,12 +142,16 @@ module ActiveRecord
             end
           end
 
+          ARRAY_ESCAPE = "\\" * 2 * 2 # escape the backslash twice for PG arrays
+
           def quote_and_escape(value)
             case value
             when "NULL", Numeric
               value
             else
-              "\"#{value.gsub(/"/,"\\\"")}\""
+              value = value.gsub(/\\/, ARRAY_ESCAPE)
+              value.gsub!(/"/,"\\\"")
+              "\"#{value}\""
             end
           end
 
diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb
index 863c3ebe4d..7795561e51 100644
--- a/activerecord/lib/active_record/version.rb
+++ b/activerecord/lib/active_record/version.rb
@@ -1,7 +1,7 @@
 module ActiveRecord
   # Returns the version of the currently loaded ActiveRecord as a Gem::Version
   def self.version
-    Gem::Version.new "4.1.0.beta1"
+    Gem::Version.new "4.1.0.beta2"
   end
 
   module VERSION #:nodoc:
diff --git a/activerecord/test/cases/adapters/postgresql/datatype_test.rb b/activerecord/test/cases/adapters/postgresql/datatype_test.rb
index 04a458fbce..5c3a797c41 100644
--- a/activerecord/test/cases/adapters/postgresql/datatype_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/datatype_test.rb
@@ -78,6 +78,14 @@ class PostgresqlDataTypeTest < ActiveRecord::TestCase
      PostgresqlBitString, PostgresqlOid, PostgresqlTimestampWithZone, PostgresqlUUID].each(&:delete_all)
   end
 
+  def test_array_escaping
+    unknown = %(foo\\",bar,baz,\\)
+    nicknames = ["hello_#{unknown}"]
+    ar = PostgresqlArray.create!(nicknames: nicknames, id: 100)
+    ar.reload
+    assert_equal nicknames, ar.nicknames
+  end
+
   def test_data_type_of_array_types
     assert_equal :integer, @first_array.column_for_attribute(:commission_by_quarter).type
     assert_equal :text, @first_array.column_for_attribute(:nicknames).type