diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2012-06-17 09:21:16 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2012-06-17 09:21:16 +0000 |
| commit | 933e96116e16df76600de376b45f2d6f6427a259 (patch) | |
| tree | 7a18bf363571ad0281dd0a435e10f30ab34214ff | |
| parent | 10711fda6d6088d4ed87c5f63f4d89c9729d92e3 (diff) | |
| download | redmine-933e96116e16df76600de376b45f2d6f6427a259.tar.gz redmine-933e96116e16df76600de376b45f2d6f6427a259.zip | |
Fix for Rails vulnerabilities CVE-2012-2694 and CVE-2012-2695.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/1.4-stable@9849 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | config/initializers/10-patches.rb | 46 | ||||
| -rw-r--r-- | doc/CHANGELOG | 1 |
2 files changed, 44 insertions, 3 deletions
diff --git a/config/initializers/10-patches.rb b/config/initializers/10-patches.rb index 43cd7d0a8..fd624c79c 100644 --- a/config/initializers/10-patches.rb +++ b/config/initializers/10-patches.rb @@ -88,22 +88,25 @@ module ActionController # CVE-2012-2660 # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f + # CVE-2012-2694 + # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/8c82d9df8b401c5e class Request protected # Remove nils from the params hash def deep_munge(hash) + keys = hash.keys.find_all { |k| hash[k] == [nil] } + keys.each { |k| hash[k] = nil } + hash.each_value do |v| case v when Array v.grep(Hash) { |x| deep_munge(x) } + v.compact! when Hash deep_munge(v) end end - - keys = hash.keys.find_all { |k| hash[k] == [nil] } - keys.each { |k| hash[k] = nil } hash end @@ -112,3 +115,40 @@ module ActionController end end end + +# CVE-2012-2695 +# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59 +module ActiveRecord + class Base + class << self + def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true) + attrs = expand_hash_conditions_for_aggregates(attrs) + + conditions = attrs.map do |attr, value| + table_name = default_table_name + + if not value.is_a?(Hash) + attr = attr.to_s + + # Extract table name from qualified attribute names. + if attr.include?('.') and top_level + attr_table_name, attr = attr.split('.', 2) + attr_table_name = connection.quote_table_name(attr_table_name) + else + attr_table_name = table_name + end + + attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value) + elsif top_level + sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false) + else + raise ActiveRecord::StatementInvalid + end + end.join(' AND ') + + replace_bind_variables(conditions, expand_range_bind_variables(attrs.values)) + end + alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions + end + end +end diff --git a/doc/CHANGELOG b/doc/CHANGELOG index bd627d6e7..e87a9136b 100644 --- a/doc/CHANGELOG +++ b/doc/CHANGELOG @@ -13,6 +13,7 @@ http://www.redmine.org/ * Defect #11178: Spent time sorted by date-descending order lists same-date entries in physical order * Feature #6597: Configurable session lifetime and timeout * Patch #11113: Small glitch in German localization +* Fix for Rails vulnerabilities CVE-2012-2694 and CVE-2012-2695 == 2012-06-05 v1.4.3 |