Merge branch 'master' into backbone.ws

2013-01-17 11:46:07 +04:00 · 2013-01-17 11:46:07 +04:00 · 5e370b720b
parent 9ebbce7ba3 eb41df17d2
commit 5e370b720b
3 changed files with 46 additions and 1 deletions
--- a/config/initializers/10-patches.rb
+++ b/config/initializers/10-patches.rb
@ -199,6 +199,47 @@ module ActionController
  end
 end

+# Fix for CVE-2013-0155
+# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
+# TODO: Remove this once we are on Rails >= 3.2.11
+module ActiveRecord
+  class Base
+    class << self
+    protected
+      def self.sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
+        attrs = expand_hash_conditions_for_aggregates(attrs)
+
+        return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
+
+        conditions = attrs.map do |attr, value|
+          table_name = default_table_name
+
+          if not value.is_a?(Hash)
+            attr = attr.to_s
+
+            # Extract table name from qualified attribute names.
+            if attr.include?('.') and top_level
+              attr_table_name, attr = attr.split('.', 2)
+              attr_table_name = connection.quote_table_name(attr_table_name)
+            else
+              attr_table_name = table_name
+            end
+
+            attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
+          elsif top_level
+            sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
+          else
+            raise ActiveRecord::StatementInvalid
+          end
+        end.join(' AND ')
+
+        replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
+      end
+      alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
+    end
+  end
+end
+
 # Backported fix for CVE-2012-3465
 # https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J
 # TODO: Remove this once we are on Rails >= 3.2.8
--- a/doc/CHANGELOG.rdoc
+++ b/doc/CHANGELOG.rdoc
@ -1,5 +1,9 @@
 = ChiliProject Changelog

+== 2013-01-16 v3.5.1
+
+* Security - Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)
+
 == 2013-01-09 v3.5.0

 * Security - Bug #1200: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)
--- a/lib/chili_project/version.rb
+++ b/lib/chili_project/version.rb
@ -19,7 +19,7 @@ module ChiliProject

    MAJOR = 3
    MINOR = 5
-    PATCH = 0
+    PATCH = 1
    TINY  = PATCH # Redmine compat

    # Used by semver to define the special version (if any).