From 6256b1de9a2d968b0d123ad6a09b33de01019ae6 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Wed, 12 Feb 2014 16:22:40 -0800
Subject: Correctly escape PostgreSQL arrays.

Thanks Godfrey Chan for reporting this!

Fixes: CVE-2014-0080
---
 activerecord/test/cases/adapters/postgresql/datatype_test.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'activerecord/test/cases/adapters')

diff --git a/activerecord/test/cases/adapters/postgresql/datatype_test.rb b/activerecord/test/cases/adapters/postgresql/datatype_test.rb
index 04a458fbce..5c3a797c41 100644
--- a/activerecord/test/cases/adapters/postgresql/datatype_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/datatype_test.rb
@@ -78,6 +78,14 @@ class PostgresqlDataTypeTest < ActiveRecord::TestCase
      PostgresqlBitString, PostgresqlOid, PostgresqlTimestampWithZone, PostgresqlUUID].each(&:delete_all)
   end
 
+  def test_array_escaping
+    unknown = %(foo\\",bar,baz,\\)
+    nicknames = ["hello_#{unknown}"]
+    ar = PostgresqlArray.create!(nicknames: nicknames, id: 100)
+    ar.reload
+    assert_equal nicknames, ar.nicknames
+  end
+
   def test_data_type_of_array_types
     assert_equal :integer, @first_array.column_for_attribute(:commission_by_quarter).type
     assert_equal :text, @first_array.column_for_attribute(:nicknames).type
-- 
cgit v1.2.3