From cc2903da9f13c26ba3d94c149f31d4c53b94b2ed Mon Sep 17 00:00:00 2001
From: Ernie Miller <ernie@erniemiller.org>
Date: Fri, 8 Jun 2012 16:32:08 -0400
Subject: Additional fix for CVE-2012-2661

While the patched PredicateBuilder in 3.1.5 prevents a user
from specifying a table name using the `table.column` format,
it doesn't protect against the nesting of hashes changing the
table context in the next call to build_from_hash. This fix
covers this case as well.
---
 activerecord/test/cases/relation/where_test.rb | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'activerecord/test/cases/relation/where_test.rb')

diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
index 90c690e266..b9eef1d32f 100644
--- a/activerecord/test/cases/relation/where_test.rb
+++ b/activerecord/test/cases/relation/where_test.rb
@@ -11,6 +11,12 @@ module ActiveRecord
       end
     end
 
+    def test_where_error_with_hash
+      assert_raises(ActiveRecord::StatementInvalid) do
+        Post.where(:id => { :posts => {:author_id => 10} }).first
+      end
+    end
+
     def test_where_with_table_name
       post = Post.first
       assert_equal post, Post.where(:posts => { 'id' => post.id }).first
-- 
cgit v1.2.3