From 6256b1de9a2d968b0d123ad6a09b33de01019ae6 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Wed, 12 Feb 2014 16:22:40 -0800 Subject: Correctly escape PostgreSQL arrays. Thanks Godfrey Chan for reporting this! Fixes: CVE-2014-0080 --- .../lib/active_record/connection_adapters/postgresql/cast.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'activerecord/lib') diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb b/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb index bf34f2bdae..bb6ea95bea 100644 --- a/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb +++ b/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb @@ -142,12 +142,16 @@ module ActiveRecord end end + ARRAY_ESCAPE = "\\" * 2 * 2 # escape the backslash twice for PG arrays + def quote_and_escape(value) case value when "NULL" value else - "\"#{value.gsub(/"/,"\\\"")}\"" + value = value.gsub(/\\/, ARRAY_ESCAPE) + value.gsub!(/"/,"\\\"") + "\"#{value}\"" end end -- cgit v1.2.3 From 8b20c72dd80e2faf531f308d430a145a253aeac3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Tue, 18 Feb 2014 15:45:20 -0300 Subject: Preparing for 4.1.0.beta2 release --- activerecord/lib/active_record/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'activerecord/lib') diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb index 863c3ebe4d..7795561e51 100644 --- a/activerecord/lib/active_record/version.rb +++ b/activerecord/lib/active_record/version.rb @@ -1,7 +1,7 @@ module ActiveRecord # Returns the version of the currently loaded ActiveRecord as a Gem::Version def self.version - Gem::Version.new "4.1.0.beta1" + Gem::Version.new "4.1.0.beta2" end module VERSION #:nodoc: -- cgit v1.2.3