From d5cd97baa44fa66dc681041a213092b45c57c32f Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Fri, 4 Jan 2013 12:02:22 -0800
Subject: * Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
 * dealing with empty hashes. Thanks Damien Mathieu

---
 activerecord/lib/active_record/relation/predicate_builder.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'activerecord/lib')

diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
index 6b118b4912..b31fdfd981 100644
--- a/activerecord/lib/active_record/relation/predicate_builder.rb
+++ b/activerecord/lib/active_record/relation/predicate_builder.rb
@@ -6,7 +6,12 @@ module ActiveRecord
 
         if allow_table_name && value.is_a?(Hash)
           table = Arel::Table.new(column, engine)
-          build_from_hash(engine, value, table, false)
+
+          if value.empty?
+            '1 = 2'
+          else
+            build_from_hash(engine, value, table, false)
+          end
         else
           column = column.to_s
 
-- 
cgit v1.2.3


From 746dbd89faf8197e6d6f35f6e428a024923116a2 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Mon, 7 Jan 2013 16:15:56 -0800
Subject: bumping version

---
 activerecord/lib/active_record/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'activerecord/lib')

diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb
index 36266e968b..ff9fa279f4 100644
--- a/activerecord/lib/active_record/version.rb
+++ b/activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 10
+    TINY  = 11
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
-- 
cgit v1.2.3