From 9340f89849606dba02f44038171f3837f883fd4e Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Wed, 30 May 2012 15:09:13 -0700
Subject: predicate builder should not recurse for determining where columns.
 Thanks to Ben Murphy for reporting this

CVE-2012-2661
---
 activerecord/test/cases/relation/where_test.rb | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 activerecord/test/cases/relation/where_test.rb

(limited to 'activerecord/test/cases')

diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
new file mode 100644
index 0000000000..90c690e266
--- /dev/null
+++ b/activerecord/test/cases/relation/where_test.rb
@@ -0,0 +1,19 @@
+require "cases/helper"
+require 'models/post'
+
+module ActiveRecord
+  class WhereTest < ActiveRecord::TestCase
+    fixtures :posts
+
+    def test_where_error
+      assert_raises(ActiveRecord::StatementInvalid) do
+        Post.where(:id => { 'posts.author_id' => 10 }).first
+      end
+    end
+
+    def test_where_with_table_name
+      post = Post.first
+      assert_equal post, Post.where(:posts => { 'id' => post.id }).first
+    end
+  end
+end
-- 
cgit v1.2.3