Sophie

Sophie

distrib > Fedora > 17 > i386 > media > updates-src > by-pkgid > 159ba94d8f0826af9300ab18d2a9ef3e > files > 10

rubygem-activerecord-3.0.11-6.fc17.src.rpm

From f943e386039e0f28e777e2cf7ec39a7dbe24c040 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Fri, 4 Jan 2013 12:02:22 -0800
Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
 [CVE-2013-0155] * dealing with empty hashes. Thanks
 Damien Mathieu

Conflicts:
	activerecord/lib/active_record/relation/predicate_builder.rb
---
 .../lib/active_record/relation/predicate_builder.rb   |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
index e74ba73..71eabcb 100644
--- a/activerecord/lib/active_record/relation/predicate_builder.rb
+++ b/activerecord/lib/active_record/relation/predicate_builder.rb
@@ -11,7 +11,12 @@ module ActiveRecord
 
         if allow_table_name && value.is_a?(Hash)
           table = Arel::Table.new(column, :engine => @engine)
-          build_from_hash(value, table, false)
+
+          if value.empty?
+            '1 = 2'
+          else
+            build_from_hash(value, table, false)
+          end
         else
           column = column.to_s
 
-- 
1.7.10.2 (Apple Git-33)