From 060bb7250b963609a0d8a5d0559e36b99d2402c6 Mon Sep 17 00:00:00 2001
From: joernchen of Phenoelit <joernchen@phenoelit.de>
Date: Sat, 9 Feb 2013 15:46:44 -0800
Subject: Fix issue with attr_protected where malformed input could circumvent
 protection

Fixes: CVE-2013-0276
---
 activemodel/lib/active_model/attribute_methods.rb                       | 2 +-
 activemodel/lib/active_model/mass_assignment_security/permission_set.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'activemodel/lib/active_model')

diff --git a/activemodel/lib/active_model/attribute_methods.rb b/activemodel/lib/active_model/attribute_methods.rb
index f033a94c02..96f2c82631 100644
--- a/activemodel/lib/active_model/attribute_methods.rb
+++ b/activemodel/lib/active_model/attribute_methods.rb
@@ -365,7 +365,7 @@ module ActiveModel
             end
 
             @prefix, @suffix = options[:prefix] || '', options[:suffix] || ''
-            @regex = /^(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})$/
+            @regex = /\A(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})\z/
             @method_missing_target = "#{@prefix}attribute#{@suffix}"
             @method_name = "#{prefix}%s#{suffix}"
           end
diff --git a/activemodel/lib/active_model/mass_assignment_security/permission_set.rb b/activemodel/lib/active_model/mass_assignment_security/permission_set.rb
index a1fcdf1a38..10faa29f31 100644
--- a/activemodel/lib/active_model/mass_assignment_security/permission_set.rb
+++ b/activemodel/lib/active_model/mass_assignment_security/permission_set.rb
@@ -19,7 +19,7 @@ module ActiveModel
     protected
 
       def remove_multiparameter_id(key)
-        key.to_s.gsub(/\(.+/, '')
+        key.to_s.gsub(/\(.+/m, '')
       end
     end
 
-- 
cgit v1.2.3


From 1dccd44a5c74f20b0406ecc8d39373226f73af35 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Sun, 10 Feb 2013 19:05:41 -0800
Subject: bumping version

---
 activemodel/lib/active_model/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'activemodel/lib/active_model')

diff --git a/activemodel/lib/active_model/version.rb b/activemodel/lib/active_model/version.rb
index 51a678d151..5f4fd126a6 100644
--- a/activemodel/lib/active_model/version.rb
+++ b/activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 11
+    TINY  = 12
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
-- 
cgit v1.2.3