Sophie

Sophie

distrib > Fedora > 18 > i386 > by-pkgid > 8037e66fa6aa90d1ea6d9b34ab6af8d0 > files > 4

rubygem-activerecord-3.2.8-6.fc18.src.rpm

From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Fri, 4 Jan 2013 12:02:22 -0800
Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
 [CVE-2013-0155] * dealing with empty hashes. Thanks
 Damien Mathieu

---
 .../lib/active_record/relation/predicate_builder.rb   |    7 ++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
index 6b118b4..b31fdfd 100644
--- a/activerecord/lib/active_record/relation/predicate_builder.rb
+++ b/activerecord/lib/active_record/relation/predicate_builder.rb
@@ -6,7 +6,12 @@ module ActiveRecord
 
         if allow_table_name && value.is_a?(Hash)
           table = Arel::Table.new(column, engine)
-          build_from_hash(engine, value, table, false)
+
+          if value.empty?
+            '1 = 2'
+          else
+            build_from_hash(engine, value, table, false)
+          end
         else
           column = column.to_s
 
-- 
1.7.10.2 (Apple Git-33)

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional