From 4642d68d8021893c69bfd16ed6e926ae03a6d777 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Mon, 18 Jan 2016 13:51:02 -0800
Subject: Eliminate instance level writers for class accessors

Instance level writers can have an impact on how the Active Model /
Record objects are saved.  Specifically, they can be used to bypass
validations.  This is a problem if mass assignment protection is
disabled and specific attributes are passed to the constructor.

CVE-2016-0753
---
 activesupport/lib/active_support/callbacks.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'activesupport/lib')

diff --git a/activesupport/lib/active_support/callbacks.rb b/activesupport/lib/active_support/callbacks.rb
index bf560ec1fa..e6baddf5db 100644
--- a/activesupport/lib/active_support/callbacks.rb
+++ b/activesupport/lib/active_support/callbacks.rb
@@ -71,7 +71,7 @@ module ActiveSupport
     # halt the entire callback chain and display a deprecation message.
     # If false, callback chains will only be halted by calling +throw :abort+.
     # Defaults to +true+.
-    mattr_accessor(:halt_and_display_warning_on_return_false) { true }
+    mattr_accessor(:halt_and_display_warning_on_return_false, instance_writer: false) { true }
 
     # Runs the callbacks for the given event.
     #
@@ -742,7 +742,7 @@ module ActiveSupport
         options = names.extract_options!
 
         names.each do |name|
-          class_attribute "_#{name}_callbacks"
+          class_attribute "_#{name}_callbacks", instance_writer: false
           set_callbacks name, CallbackChain.new(name, options)
 
           module_eval <<-RUBY, __FILE__, __LINE__ + 1
-- 
cgit v1.2.3