1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
|
Description: Fix for CVE-2013-0155
This includes the patch released in the updated announcement for CVE-2013-0155
plus some previous changes that it requires.
.
Author: Justin Collins
(commit 62f81f4d cherry-picked from upstream git repository)
Author: Ernie Miller
Reviewed-By: Antonio Terceiro <terceiro@debian.org>
Upstream-Bug: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/c7jT-EeN9eI
---
activerecord/lib/active_record/base.rb | 2 ++
1 file changed, 2 insertions(+)
--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -2298,17 +2298,19 @@ module ActiveRecord #:nodoc:
# And for value objects on a composed_of relationship:
# { :address => Address.new("123 abc st.", "chicago") }
# # => "address_street='123 abc st.' and address_city='chicago'"
- def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name)
+ def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
attrs = expand_hash_conditions_for_aggregates(attrs)
+ return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
+
conditions = attrs.map do |attr, value|
table_name = default_table_name
- unless value.is_a?(Hash)
+ if not value.is_a?(Hash)
attr = attr.to_s
# Extract table name from qualified attribute names.
- if attr.include?('.')
+ if attr.include?('.') and top_level
attr_table_name, attr = attr.split('.', 2)
attr_table_name = connection.quote_table_name(attr_table_name)
else
@@ -2316,8 +2318,10 @@ module ActiveRecord #:nodoc:
end
attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
+ elsif top_level
+ sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
else
- sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s))
+ raise ActiveRecord::StatementInvalid
end
end.join(' AND ')
--- a/activerecord/test/cases/finder_test.rb
+++ b/activerecord/test/cases/finder_test.rb
@@ -375,6 +375,22 @@ class FinderTest < ActiveRecord::TestCas
}
end
+ def test_hash_condition_find_with_improper_nested_hashes
+ assert_raise(ActiveRecord::StatementInvalid) {
+ Company.find(:first, :conditions => { :name => { :companies => { :id => 1 }}})
+ }
+ end
+
+ def test_hash_condition_find_with_dot_in_nested_column_name
+ assert_raise(ActiveRecord::StatementInvalid) {
+ Company.find(:first, :conditions => { :name => { "companies.id" => 1 }})
+ }
+ end
+
+ def test_hash_condition_find_with_dot_in_column_name_okay
+ assert Company.find(:first, :conditions => { "companies.id" => 1 })
+ end
+
def test_hash_condition_find_with_escaped_characters
Company.create("name" => "Ain't noth'n like' \#stuff")
assert Company.find(:first, :conditions => { :name => "Ain't noth'n like' \#stuff" })
|