From 1f2192e46d78ee0ba2b06373f2c24caf8440ff5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Thu, 5 Jun 2014 12:34:07 -0300 Subject: Check against bit string values using multiline regexp Fix CVE-2014-3482. --- .../lib/active_record/connection_adapters/postgresql_adapter.rb | 6 +++--- activerecord/test/cases/adapters/postgresql/quoting_test.rb | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb index e98337e7d5..3cd65d0bf5 100644 --- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb +++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb @@ -442,8 +442,8 @@ module ActiveRecord when 'xml' then "xml '#{quote_string(value)}'" when /^bit/ case value - when /^[01]*$/ then "B'#{value}'" # Bit-string notation - when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation + when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation + when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation end else super @@ -1160,7 +1160,7 @@ module ActiveRecord FEATURE_NOT_SUPPORTED = "0A000" # :nodoc: def exec_no_cache(sql, binds) - @connection.async_exec(sql) + @connection.async_exec(sql, []) end def exec_cache(sql, binds) diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb index 172055f15c..cfdf16d48d 100644 --- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb +++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb @@ -19,6 +19,11 @@ module ActiveRecord assert_equal 'f', @conn.type_cast(false, nil) assert_equal 'f', @conn.type_cast(false, c) end + + def test_quote_bit_string + c = PostgreSQLColumn.new(nil, 1, 'bit') + assert_equal nil, @conn.quote("'); SELECT * FORM users; /*\n01\n*/--", c) + end end end end -- cgit v1.2.3 From 53c845cb185036c71cc9793c4eb6bf4dc989307b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Wed, 2 Jul 2014 12:55:09 -0300 Subject: Preparing for 3.2.19 release --- RAILS_VERSION | 2 +- actionmailer/CHANGELOG.md | 5 +++++ actionmailer/lib/action_mailer/version.rb | 2 +- actionpack/CHANGELOG.md | 2 ++ actionpack/lib/action_pack/version.rb | 2 +- activemodel/CHANGELOG.md | 5 +++++ activemodel/lib/active_model/version.rb | 2 +- activerecord/CHANGELOG.md | 9 +++++++++ activerecord/lib/active_record/version.rb | 2 +- activeresource/CHANGELOG.md | 5 +++++ activeresource/lib/active_resource/version.rb | 2 +- activesupport/CHANGELOG.md | 10 ++++++++++ activesupport/lib/active_support/version.rb | 2 +- railties/CHANGELOG.md | 5 +++++ railties/lib/rails/version.rb | 2 +- version.rb | 2 +- 16 files changed, 50 insertions(+), 9 deletions(-) diff --git a/RAILS_VERSION b/RAILS_VERSION index f05489d385..100838dc41 100644 --- a/RAILS_VERSION +++ b/RAILS_VERSION @@ -1 +1 @@ -3.2.18 +3.2.19 diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md index 94d3f54bea..d7ed55ef4c 100644 --- a/actionmailer/CHANGELOG.md +++ b/actionmailer/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* No changes. + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/actionmailer/lib/action_mailer/version.rb b/actionmailer/lib/action_mailer/version.rb index 8212a9b108..f769dcacfd 100644 --- a/actionmailer/lib/action_mailer/version.rb +++ b/actionmailer/lib/action_mailer/version.rb @@ -2,7 +2,7 @@ module ActionMailer module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 643e926312..15fc0af20e 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,5 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + * Fix regression when using `ActionView::Helpers::TranslationHelper#translate` with `options[:raise]`. diff --git a/actionpack/lib/action_pack/version.rb b/actionpack/lib/action_pack/version.rb index ac6d3343b9..3dc00b99fe 100644 --- a/actionpack/lib/action_pack/version.rb +++ b/actionpack/lib/action_pack/version.rb @@ -2,7 +2,7 @@ module ActionPack module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md index fb4bfda149..4f2e4e1959 100644 --- a/activemodel/CHANGELOG.md +++ b/activemodel/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* No changes. + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb index e675c7454c..3137205802 100644 --- a/activemodel/lib/active_model/version.rb +++ b/activemodel/lib/active_model/version.rb @@ -2,7 +2,7 @@ module ActiveModel module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 6ac368f379..0334f4454e 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,3 +1,12 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* Fix SQL Injection Vulnerability in 'bitstring' quoting. + + Fixes CVE-2014-3482. + + *Rafael Mendonça França* + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb index 3dd782af9f..cc73a14f7c 100644 --- a/activerecord/lib/active_record/version.rb +++ b/activerecord/lib/active_record/version.rb @@ -2,7 +2,7 @@ module ActiveRecord module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activeresource/CHANGELOG.md b/activeresource/CHANGELOG.md index 4a555cf6b8..64509399e8 100644 --- a/activeresource/CHANGELOG.md +++ b/activeresource/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* No changes. + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/activeresource/lib/active_resource/version.rb b/activeresource/lib/active_resource/version.rb index dee96b8fd8..5e8910f386 100644 --- a/activeresource/lib/active_resource/version.rb +++ b/activeresource/lib/active_resource/version.rb @@ -2,7 +2,7 @@ module ActiveResource module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index e22aded195..6123be4ab4 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -1,3 +1,13 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* Make sure Active Support configurations are applied correctly. + + Before this change configuration set using `config.active_support` + would not be set. + + *Rafael Mendonça França* + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/activesupport/lib/active_support/version.rb b/activesupport/lib/active_support/version.rb index 10c9fca86c..6fdf950bc0 100644 --- a/activesupport/lib/active_support/version.rb +++ b/activesupport/lib/active_support/version.rb @@ -2,7 +2,7 @@ module ActiveSupport module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index ce832d12ee..0ff661cc9f 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 3.2.19 (Jul 2, 2014) ## + +* No changes. + + ## Rails 3.2.18 (May 6, 2014) ## * No changes. diff --git a/railties/lib/rails/version.rb b/railties/lib/rails/version.rb index ec2f5467f0..ef640c9dab 100644 --- a/railties/lib/rails/version.rb +++ b/railties/lib/rails/version.rb @@ -2,7 +2,7 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') diff --git a/version.rb b/version.rb index ec2f5467f0..ef640c9dab 100644 --- a/version.rb +++ b/version.rb @@ -2,7 +2,7 @@ module Rails module VERSION #:nodoc: MAJOR = 3 MINOR = 2 - TINY = 18 + TINY = 19 PRE = nil STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') -- cgit v1.2.3