# CVE-2012-2660
# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
+ # CVE-2012-2694
+ # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e
class Request
protected
# Remove nils from the params hash
def deep_munge(hash)
+ keys = hash.keys.find_all { |k| hash[k] == [nil] }
+ keys.each { |k| hash[k] = nil }
+
hash.each_value do |v|
case v
when Array
v.grep(Hash) { |x| deep_munge(x) }
+ v.compact!
when Hash
deep_munge(v)
end
end
-
- keys = hash.keys.find_all { |k| hash[k] == [nil] }
- keys.each { |k| hash[k] = nil }
hash
end
end
end
end
+
+# CVE-2012-2695
+# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59
+module ActiveRecord
+ class Base
+ class << self
+ def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
+ attrs = expand_hash_conditions_for_aggregates(attrs)
+
+ conditions = attrs.map do |attr, value|
+ table_name = default_table_name
+
+ if not value.is_a?(Hash)
+ attr = attr.to_s
+
+ # Extract table name from qualified attribute names.
+ if attr.include?('.') and top_level
+ attr_table_name, attr = attr.split('.', 2)
+ attr_table_name = connection.quote_table_name(attr_table_name)
+ else
+ attr_table_name = table_name
+ end
+
+ attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
+ elsif top_level
+ sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
+ else
+ raise ActiveRecord::StatementInvalid
+ end
+ end.join(' AND ')
+
+ replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
+ end
+ alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
+ end
+ end
+end
projects / redmine.git / commitdiff