Fix for Rails vulnerabilities CVE-2012-2694 and CVE-2012-2695.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/1.4-stable@9849 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
10711fda6d
commit
933e96116e
|
@ -88,22 +88,25 @@ module ActionController
|
||||||
|
|
||||||
# CVE-2012-2660
|
# CVE-2012-2660
|
||||||
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
|
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
|
||||||
|
# CVE-2012-2694
|
||||||
|
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
|
||||||
class Request
|
class Request
|
||||||
protected
|
protected
|
||||||
|
|
||||||
# Remove nils from the params hash
|
# Remove nils from the params hash
|
||||||
def deep_munge(hash)
|
def deep_munge(hash)
|
||||||
|
keys = hash.keys.find_all { |k| hash[k] == [nil] }
|
||||||
|
keys.each { |k| hash[k] = nil }
|
||||||
|
|
||||||
hash.each_value do |v|
|
hash.each_value do |v|
|
||||||
case v
|
case v
|
||||||
when Array
|
when Array
|
||||||
v.grep(Hash) { |x| deep_munge(x) }
|
v.grep(Hash) { |x| deep_munge(x) }
|
||||||
|
v.compact!
|
||||||
when Hash
|
when Hash
|
||||||
deep_munge(v)
|
deep_munge(v)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
keys = hash.keys.find_all { |k| hash[k] == [nil] }
|
|
||||||
keys.each { |k| hash[k] = nil }
|
|
||||||
hash
|
hash
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -112,3 +115,40 @@ module ActionController
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# CVE-2012-2695
|
||||||
|
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59
|
||||||
|
module ActiveRecord
|
||||||
|
class Base
|
||||||
|
class << self
|
||||||
|
def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
|
||||||
|
attrs = expand_hash_conditions_for_aggregates(attrs)
|
||||||
|
|
||||||
|
conditions = attrs.map do |attr, value|
|
||||||
|
table_name = default_table_name
|
||||||
|
|
||||||
|
if not value.is_a?(Hash)
|
||||||
|
attr = attr.to_s
|
||||||
|
|
||||||
|
# Extract table name from qualified attribute names.
|
||||||
|
if attr.include?('.') and top_level
|
||||||
|
attr_table_name, attr = attr.split('.', 2)
|
||||||
|
attr_table_name = connection.quote_table_name(attr_table_name)
|
||||||
|
else
|
||||||
|
attr_table_name = table_name
|
||||||
|
end
|
||||||
|
|
||||||
|
attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
|
||||||
|
elsif top_level
|
||||||
|
sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
|
||||||
|
else
|
||||||
|
raise ActiveRecord::StatementInvalid
|
||||||
|
end
|
||||||
|
end.join(' AND ')
|
||||||
|
|
||||||
|
replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
|
||||||
|
end
|
||||||
|
alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
|
@ -13,6 +13,7 @@ http://www.redmine.org/
|
||||||
* Defect #11178: Spent time sorted by date-descending order lists same-date entries in physical order
|
* Defect #11178: Spent time sorted by date-descending order lists same-date entries in physical order
|
||||||
* Feature #6597: Configurable session lifetime and timeout
|
* Feature #6597: Configurable session lifetime and timeout
|
||||||
* Patch #11113: Small glitch in German localization
|
* Patch #11113: Small glitch in German localization
|
||||||
|
* Fix for Rails vulnerabilities CVE-2012-2694 and CVE-2012-2695
|
||||||
|
|
||||||
== 2012-06-05 v1.4.3
|
== 2012-06-05 v1.4.3
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue