From 13b1b381de048e00f06fbab410d9d3ecc26460b9 Mon Sep 17 00:00:00 2001 From: Tobias Kraze <tobias@kraze.eu> Date: Fri, 8 Feb 2013 12:52:10 +0100 Subject: [PATCH] fix serialization vulnerability --- .../lib/active_record/attribute_methods/write.rb | 9 ++++++++- activerecord/test/cases/base_test.rb | 6 ++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/activerecord/lib/active_record/attribute_methods/write.rb b/activerecord/lib/active_record/attribute_methods/write.rb index 3c4dab3..4684c4b 100644 --- a/activerecord/lib/active_record/attribute_methods/write.rb +++ b/activerecord/lib/active_record/attribute_methods/write.rb @@ -10,7 +10,14 @@ module ActiveRecord module ClassMethods protected def define_method_attribute=(attr_name) - if attr_name =~ /^[a-zA-Z_]\w*[!?=]?$/ + if self.serialized_attributes[attr_name] + generated_attribute_methods.send(:define_method, "#{attr_name}=") do |new_value| + if new_value.is_a?(String) and new_value =~ /^---/ + raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues." + end + write_attribute(attr_name, new_value) + end + elsif attr_name =~ /^[a-zA-Z_]\w*[!?=]?$/ generated_attribute_methods.module_eval("def #{attr_name}=(new_value); write_attribute('#{attr_name}', new_value); end", __FILE__, __LINE__) else generated_attribute_methods.send(:define_method, "#{attr_name}=") do |new_value| -- 1.7.9.5