From 6370e69143b5edce1b61135259e1f81006aaee6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@gmail.com>
Date: Tue, 18 Feb 2014 12:04:26 -0300
Subject: Document the default scopes change on the release notes, CHANGELOG
 and upgrating guides

[ci skip]
---
 activerecord/CHANGELOG.md | 61 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

(limited to 'activerecord')

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 458b9d77c2..926270ddda 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,64 @@
+*   Default scopes are no longer overriden by chained conditions.
+
+    Before this change when you defined a `default_scope` in a model
+    it was overriden by chained conditions in the same field. Now it
+    is merged like any other scope.
+
+    Before:
+
+        class User < ActiveRecord::Base
+          default_scope { where state: 'pending' }
+          scope :active, -> { where state: 'active' }
+          scope :inactive, -> { where state: 'inactive' }
+        end
+
+        User.all
+        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
+
+        User.active
+        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'active'
+
+        User.where(state: 'inactive')
+        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'inactive'
+
+    After:
+
+        class User < ActiveRecord::Base
+          default_scope { where state: 'pending' }
+          scope :active, -> { where state: 'active' }
+          scope :inactive, -> { where state: 'inactive' }
+        end
+
+        User.all
+        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
+
+        User.active
+        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'pending' AND "users"."status" = 'active'
+
+        User.where(state: 'inactive')
+        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'pending' AND "users"."status" = 'inactive'
+
+    To get the previous behavior it is needed to explicitly remove the
+    `default_scope` condition using `unscoped`, `unscope`, `rewhere` or
+    `except`.
+
+    Example:
+
+        class User < ActiveRecord::Base
+          default_scope { where state: 'pending' }
+          scope :active, -> { unescope(where: :state).where(state: 'active') }
+          scope :inactive, -> { rewhere state: 'inactive' }
+        end
+
+        User.all
+        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
+
+        User.active
+        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'active'
+
+        User.inactive
+        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'inactive'
+
 *   Perform necessary deeper encoding when hstore is inside an array.
 
     Fixes #11135.
-- 
cgit v1.2.3


From 967a6dc8985ee5d9956b23ba23f0f9d39a0c07d9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@gmail.com>
Date: Tue, 18 Feb 2014 12:08:51 -0300
Subject: Fix the column name [ci skip]

---
 activerecord/CHANGELOG.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'activerecord')

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 926270ddda..337730b831 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -16,10 +16,10 @@
         # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
 
         User.active
-        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'active'
+        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'active'
 
         User.where(state: 'inactive')
-        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'inactive'
+        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'inactive'
 
     After:
 
@@ -33,10 +33,10 @@
         # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
 
         User.active
-        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'pending' AND "users"."status" = 'active'
+        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending' AND "users"."state" = 'active'
 
         User.where(state: 'inactive')
-        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'pending' AND "users"."status" = 'inactive'
+        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending' AND "users"."state" = 'inactive'
 
     To get the previous behavior it is needed to explicitly remove the
     `default_scope` condition using `unscoped`, `unscope`, `rewhere` or
@@ -54,10 +54,10 @@
         # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
 
         User.active
-        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'active'
+        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'active'
 
         User.inactive
-        # => SELECT "users".* FROM "users" WHERE "users"."status" = 'inactive'
+        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'inactive'
 
 *   Perform necessary deeper encoding when hstore is inside an array.
 
-- 
cgit v1.2.3


From fc641a1a5b2162530482697bc1fec2a6d4ca1d5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@gmail.com>
Date: Tue, 18 Feb 2014 13:48:26 -0300
Subject: Don't use `# =>` when it is not the expression values

[ci skip]
---
 activerecord/CHANGELOG.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'activerecord')

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 337730b831..51de53a277 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -13,13 +13,13 @@
         end
 
         User.all
-        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
 
         User.active
-        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'active'
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'active'
 
         User.where(state: 'inactive')
-        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'inactive'
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'inactive'
 
     After:
 
@@ -30,13 +30,13 @@
         end
 
         User.all
-        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
 
         User.active
-        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending' AND "users"."state" = 'active'
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'pending' AND "users"."state" = 'active'
 
         User.where(state: 'inactive')
-        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending' AND "users"."state" = 'inactive'
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'pending' AND "users"."state" = 'inactive'
 
     To get the previous behavior it is needed to explicitly remove the
     `default_scope` condition using `unscoped`, `unscope`, `rewhere` or
@@ -51,13 +51,13 @@
         end
 
         User.all
-        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'pending'
 
         User.active
-        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'active'
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'active'
 
         User.inactive
-        # => SELECT "users".* FROM "users" WHERE "users"."state" = 'inactive'
+        # SELECT "users".* FROM "users" WHERE "users"."state" = 'inactive'
 
 *   Perform necessary deeper encoding when hstore is inside an array.
 
-- 
cgit v1.2.3


From 6256b1de9a2d968b0d123ad6a09b33de01019ae6 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Wed, 12 Feb 2014 16:22:40 -0800
Subject: Correctly escape PostgreSQL arrays.

Thanks Godfrey Chan for reporting this!

Fixes: CVE-2014-0080
---
 .../lib/active_record/connection_adapters/postgresql/cast.rb      | 6 +++++-
 activerecord/test/cases/adapters/postgresql/datatype_test.rb      | 8 ++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

(limited to 'activerecord')

diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb b/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb
index bf34f2bdae..bb6ea95bea 100644
--- a/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb
@@ -142,12 +142,16 @@ module ActiveRecord
             end
           end
 
+          ARRAY_ESCAPE = "\\" * 2 * 2 # escape the backslash twice for PG arrays
+
           def quote_and_escape(value)
             case value
             when "NULL"
               value
             else
-              "\"#{value.gsub(/"/,"\\\"")}\""
+              value = value.gsub(/\\/, ARRAY_ESCAPE)
+              value.gsub!(/"/,"\\\"")
+              "\"#{value}\""
             end
           end
 
diff --git a/activerecord/test/cases/adapters/postgresql/datatype_test.rb b/activerecord/test/cases/adapters/postgresql/datatype_test.rb
index 04a458fbce..5c3a797c41 100644
--- a/activerecord/test/cases/adapters/postgresql/datatype_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/datatype_test.rb
@@ -78,6 +78,14 @@ class PostgresqlDataTypeTest < ActiveRecord::TestCase
      PostgresqlBitString, PostgresqlOid, PostgresqlTimestampWithZone, PostgresqlUUID].each(&:delete_all)
   end
 
+  def test_array_escaping
+    unknown = %(foo\\",bar,baz,\\)
+    nicknames = ["hello_#{unknown}"]
+    ar = PostgresqlArray.create!(nicknames: nicknames, id: 100)
+    ar.reload
+    assert_equal nicknames, ar.nicknames
+  end
+
   def test_data_type_of_array_types
     assert_equal :integer, @first_array.column_for_attribute(:commission_by_quarter).type
     assert_equal :text, @first_array.column_for_attribute(:nicknames).type
-- 
cgit v1.2.3


From 8b20c72dd80e2faf531f308d430a145a253aeac3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@gmail.com>
Date: Tue, 18 Feb 2014 15:45:20 -0300
Subject: Preparing for 4.1.0.beta2 release

---
 activerecord/CHANGELOG.md                 | 4 ++++
 activerecord/lib/active_record/version.rb | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

(limited to 'activerecord')

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index c90ed03ac4..41d209cf67 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Correctly escape PostgreSQL arrays.
+
+    Fixes: CVE-2014-0080
+
 *   `Relation` no longer has mutator methods like `#map!` and `#delete_if`. Convert
     to an `Array` by calling `#to_a` before using these methods.
 
diff --git a/activerecord/lib/active_record/version.rb b/activerecord/lib/active_record/version.rb
index 863c3ebe4d..7795561e51 100644
--- a/activerecord/lib/active_record/version.rb
+++ b/activerecord/lib/active_record/version.rb
@@ -1,7 +1,7 @@
 module ActiveRecord
   # Returns the version of the currently loaded ActiveRecord as a Gem::Version
   def self.version
-    Gem::Version.new "4.1.0.beta1"
+    Gem::Version.new "4.1.0.beta2"
   end
 
   module VERSION #:nodoc:
-- 
cgit v1.2.3


From b74490e4f25ef26de3906cd5cd9ca0193e873372 Mon Sep 17 00:00:00 2001
From: Amit Thawait <amit17thawait@gmail.com>
Date: Tue, 18 Feb 2014 11:26:54 -0800
Subject: Typo fix for unscope

---
 activerecord/CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'activerecord')

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 38206d727f..7efd75a239 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -46,7 +46,7 @@
 
         class User < ActiveRecord::Base
           default_scope { where state: 'pending' }
-          scope :active, -> { unescope(where: :state).where(state: 'active') }
+          scope :active, -> { unscope(where: :state).where(state: 'active') }
           scope :inactive, -> { rewhere state: 'inactive' }
         end
 
-- 
cgit v1.2.3