Merge branch 'release-v3.2.2' into stable

2012-06-13 11:04:48 +02:00 · 2012-06-13 11:04:48 +02:00 · 59e2a2fdde
parent 221a2e73ce 5c7a3a53c2
commit 59e2a2fdde
3 changed files with 56 additions and 5 deletions
--- a/config/initializers/10-patches.rb
+++ b/config/initializers/10-patches.rb
@ -116,26 +116,33 @@ module ActionController
    end
  end

-  # Backported fix for CVE-2012-2660
+  # Backported fix for
+  # CVE-2012-2660
  # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
-  # TODO: Remove this once we are on Rails >= 3.2.4
+  #
+  # CVE-2012-2694
+  # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
+  #
+  # TODO: Remove this once we are on Rails >= 3.2.6
  require 'action_controller/request'
  class Request
    protected

    # Remove nils from the params hash
    def deep_munge(hash)
+      keys = hash.keys.find_all { |k| hash[k] == [nil] }
+      keys.each { |k| hash[k] = nil }
+
      hash.each_value do |v|
        case v
        when Array
          v.grep(Hash) { |x| deep_munge(x) }
+          v.compact!
        when Hash
          deep_munge(v)
        end
      end

-      keys = hash.keys.find_all { |k| hash[k] == [nil] }
-      keys.each { |k| hash[k] = nil }
      hash
    end

@ -144,3 +151,42 @@ module ActionController
    end
  end
 end
+
+# Backported fix for CVE-2012-2695
+# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59
+# TODO: Remove this once we are on Rails >= 3.2.6
+require 'active_record/base'
+module ActiveRecord
+  class Base
+    class << self
+      def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
+        attrs = expand_hash_conditions_for_aggregates(attrs)
+
+        conditions = attrs.map do |attr, value|
+          table_name = default_table_name
+
+          if not value.is_a?(Hash)
+            attr = attr.to_s
+
+            # Extract table name from qualified attribute names.
+            if attr.include?('.') and top_level
+              attr_table_name, attr = attr.split('.', 2)
+              attr_table_name = connection.quote_table_name(attr_table_name)
+            else
+              attr_table_name = table_name
+            end
+
+            attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
+          elsif top_level
+            sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
+          else
+            raise ActiveRecord::StatementInvalid
+          end
+        end.join(' AND ')
+
+        replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
+      end
+      alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
+    end
+  end
+end
--- a/doc/CHANGELOG.rdoc
+++ b/doc/CHANGELOG.rdoc
@ -1,5 +1,10 @@
 = ChiliProject Changelog

+== 2012-06-13 v3.2.2
+
+* Bug #1036: Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
+* Bug #1037: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2695)
+
 == 2012-06-10 v3.2.1

 * Bug #1034: Gravatar
--- a/lib/chili_project/version.rb
+++ b/lib/chili_project/version.rb
@ -19,7 +19,7 @@ module ChiliProject

    MAJOR = 3
    MINOR = 2
-    PATCH = 1
+    PATCH = 2
    TINY  = PATCH # Redmine compat

    # Used by semver to define the special version (if any).