Hello community, here is the log from the commit of package rubygem-activerecord-2_3 for openSUSE:12.2 checked in at 2012-08-09 17:55:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2/rubygem-activerecord-2_3 (Old) and /work/SRC/openSUSE:12.2/.rubygem-activerecord-2_3.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rubygem-activerecord-2_3", Maintainer is "MRueckert@suse.com" Changes: -------- --- /work/SRC/openSUSE:12.2/rubygem-activerecord-2_3/rubygem-activerecord-2_3.changes 2012-06-25 15:52:12.000000000 +0200 +++ /work/SRC/openSUSE:12.2/.rubygem-activerecord-2_3.new/rubygem-activerecord-2_3.changes 2012-08-09 17:56:09.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Jul 18 15:13:34 UTC 2012 - mrueckert@suse.de + +- added 2-3-sql-injection.patch (CVE-2012-2695) (bnc#766792) + +------------------------------------------------------------------- New: ---- 2-3-sql-injection.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-activerecord-2_3.spec ++++++ --- /var/tmp/diff_new_pack.zuD9VT/_old 2012-08-09 17:56:10.000000000 +0200 +++ /var/tmp/diff_new_pack.zuD9VT/_new 2012-08-09 17:56:10.000000000 +0200 @@ -35,6 +35,7 @@ # Url: http://www.rubyonrails.org Source: %{mod_full_name}.gem +Patch0: 2-3-sql-injection.patch # Summary: Implements the ActiveRecord pattern for ORM %description @@ -62,6 +63,9 @@ %build %install %gem_install %{S:0} +pushd %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ +patch -p2 < %{P:0} +popd %clean %{__rm} -rf %{buildroot} ++++++ 2-3-sql-injection.patch ++++++
From 5dc350ceef0dfd8822218aec5edfbd18ed7ad0ed Mon Sep 17 00:00:00 2001 From: Justin Collins
Date: Fri, 1 Jun 2012 19:02:11 -0700 Subject: [PATCH] Fix SQL injection via nested hashes in conditions
--- activerecord/lib/active_record/base.rb | 10 ++++++---- activerecord/test/cases/finder_test.rb | 16 ++++++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb index 461007f..d8a4daf 100755 --- a/activerecord/lib/active_record/base.rb +++ b/activerecord/lib/active_record/base.rb @@ -2333,17 +2333,17 @@ module ActiveRecord #:nodoc: # And for value objects on a composed_of relationship: # { :address => Address.new("123 abc st.", "chicago") } # # => "address_street='123 abc st.' and address_city='chicago'" - def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name) + def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true) attrs = expand_hash_conditions_for_aggregates(attrs) conditions = attrs.map do |attr, value| table_name = default_table_name - unless value.is_a?(Hash) + if not value.is_a?(Hash) attr = attr.to_s # Extract table name from qualified attribute names. - if attr.include?('.') + if attr.include?('.') and top_level attr_table_name, attr = attr.split('.', 2) attr_table_name = connection.quote_table_name(attr_table_name) else @@ -2351,8 +2351,10 @@ module ActiveRecord #:nodoc: end attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value) + elsif top_level + sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false) else - sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s)) + raise ActiveRecord::StatementInvalid end end.join(' AND ') diff --git a/activerecord/test/cases/finder_test.rb b/activerecord/test/cases/finder_test.rb index c779a69..a191f0f 100644 --- a/activerecord/test/cases/finder_test.rb +++ b/activerecord/test/cases/finder_test.rb @@ -363,6 +363,22 @@ class FinderTest < ActiveRecord::TestCase } end + def test_hash_condition_find_with_improper_nested_hashes + assert_raise(ActiveRecord::StatementInvalid) { + Company.find(:first, :conditions => { :name => { :companies => { :id => 1 }}}) + } + end + + def test_hash_condition_find_with_dot_in_nested_column_name + assert_raise(ActiveRecord::StatementInvalid) { + Company.find(:first, :conditions => { :name => { "companies.id" => 1 }}) + } + end + + def test_hash_condition_find_with_dot_in_column_name_okay + assert Company.find(:first, :conditions => { "companies.id" => 1 }) + end + def test_hash_condition_find_with_escaped_characters Company.create("name" => "Ain't noth'n like' \#stuff") assert Company.find(:first, :conditions => { :name => "Ain't noth'n like' \#stuff" }) -- 1.7.4.4 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org