From c35d913524966409721e96716217daca4e5ef5f3 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Sat, 9 Feb 2013 17:00:59 -0800
Subject: adding test for CVE

---
 activerecord/test/cases/mass_assignment_security_test.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'activerecord/test')

diff --git a/activerecord/test/cases/mass_assignment_security_test.rb b/activerecord/test/cases/mass_assignment_security_test.rb
index 5153945546..13f90e8eef 100644
--- a/activerecord/test/cases/mass_assignment_security_test.rb
+++ b/activerecord/test/cases/mass_assignment_security_test.rb
@@ -300,6 +300,16 @@ class MassAssignmentSecurityTest < ActiveRecord::TestCase
     assert_admin_attributes(p, true)
   end
 
+  def test_attr_protected_with_newline
+    p = LoosePerson.new
+    assert_raises(ActiveRecord::UnknownAttributeError) do
+      p.attributes = {"comments=\n"=>"hax"}
+    end
+    assert_nil p.comments, "Comments is meant to be attr_protected but I assigned it with attributes="
+    p.attributes= {"comments(1)\n" => "hax"}
+    assert_nil p.comments, "Comments is meant to be attr_protected but I assigned it with attributes="
+  end
+
 end
 
 
-- 
cgit v1.2.3