Merge branch 'release-v3.2.2' into stable

This commit is contained in:
Holger Just 2012-06-13 11:04:48 +02:00
commit 59e2a2fdde
3 changed files with 56 additions and 5 deletions

View File

@ -116,26 +116,33 @@ module ActionController
end
end
# Backported fix for CVE-2012-2660
# Backported fix for
# CVE-2012-2660
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
# TODO: Remove this once we are on Rails >= 3.2.4
#
# CVE-2012-2694
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
#
# TODO: Remove this once we are on Rails >= 3.2.6
require 'action_controller/request'
class Request
protected
# Remove nils from the params hash
def deep_munge(hash)
keys = hash.keys.find_all { |k| hash[k] == [nil] }
keys.each { |k| hash[k] = nil }
hash.each_value do |v|
case v
when Array
v.grep(Hash) { |x| deep_munge(x) }
v.compact!
when Hash
deep_munge(v)
end
end
keys = hash.keys.find_all { |k| hash[k] == [nil] }
keys.each { |k| hash[k] = nil }
hash
end
@ -144,3 +151,42 @@ module ActionController
end
end
end
# Backported fix for CVE-2012-2695
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59
# TODO: Remove this once we are on Rails >= 3.2.6
require 'active_record/base'
module ActiveRecord
class Base
class << self
def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
attrs = expand_hash_conditions_for_aggregates(attrs)
conditions = attrs.map do |attr, value|
table_name = default_table_name
if not value.is_a?(Hash)
attr = attr.to_s
# Extract table name from qualified attribute names.
if attr.include?('.') and top_level
attr_table_name, attr = attr.split('.', 2)
attr_table_name = connection.quote_table_name(attr_table_name)
else
attr_table_name = table_name
end
attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
elsif top_level
sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
else
raise ActiveRecord::StatementInvalid
end
end.join(' AND ')
replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
end
alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
end
end
end

View File

@ -1,5 +1,10 @@
= ChiliProject Changelog
== 2012-06-13 v3.2.2
* Bug #1036: Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
* Bug #1037: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2695)
== 2012-06-10 v3.2.1
* Bug #1034: Gravatar

View File

@ -19,7 +19,7 @@ module ChiliProject
MAJOR = 3
MINOR = 2
PATCH = 1
PATCH = 2
TINY = PATCH # Redmine compat
# Used by semver to define the special version (if any).