kolan/obsolete.ChilliProject
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix SQL injection via nested hashes in conditions (CVE-2012-2694) #1036

Browse Source
This commit is contained in:
Holger Just 2012-06-13 09:29:39 +02:00
parent c9d141061d
commit d629209364
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
config/initializers/10-patches.rb
View File

@ -116,26 +116,33 @@ module ActionController
end end
end end
# Backported fix for CVE-2012-2660 # Backported fix for
# CVE-2012-2660
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
# TODO: Remove this once we are on Rails >= 3.2.4 #
# CVE-2012-2694
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
#
# TODO: Remove this once we are on Rails >= 3.2.6
require 'action_controller/request' require 'action_controller/request'
class Request class Request
protected protected
# Remove nils from the params hash # Remove nils from the params hash
def deep_munge(hash) def deep_munge(hash)
keys = hash.keys.find_all { |k| hash[k] == [nil] }
keys.each { |k| hash[k] = nil }
hash.each_value do |v| hash.each_value do |v|
case v case v
when Array when Array
v.grep(Hash) { |x| deep_munge(x) } v.grep(Hash) { |x| deep_munge(x) }
v.compact!
when Hash when Hash
deep_munge(v) deep_munge(v)
end end
end end
keys = hash.keys.find_all { |k| hash[k] == [nil] }
keys.each { |k| hash[k] = nil }
hash hash
end end