activerecord 3.2.5 → 3.2.6

data/CHANGELOG.md

@@ -1,3 +1,29 @@
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+*   protect against the nesting of hashes changing the
+    table context in the next call to build_from_hash. This fix
+    covers this case as well.
+
+    CVE-2012-2695
+
+*   Revert earlier 'perf fix' (see 3.2.4 changelog / GH #6289). This
+    change introduced a regression (GH #6609). assoc.clear and
+    assoc.delete_all have loaded the association before doing the delete
+    since at least Rails 2.3. Doing the delete without loading the
+    records means that the `before_remove` and `after_remove` callbacks do
+    not get invoked. Therefore, this change was less a fix a more an
+    optimisation, which should only have gone into master.
+
+    *Jon Leighton*
+
+## Rails 3.2.5 (Jun 1, 2012) ##
+
+*   Restore behavior of Active Record 3.2.3 scopes.
+    A series of commits relating to preloading and scopes caused a regression.
+
+    *Andrew White*
+
+
 ## Rails 3.2.4 (May 31, 2012) ##
 
 *   Perf fix: Don't load the records when doing assoc.delete_all.
@@ -16,6 +42,7 @@
 *   Predicate builder should not recurse for determining where columns.
     Thanks to Ben Murphy for reporting this! CVE-2012-2661
 
+
 ## Rails 3.2.3 (March 30, 2012) ##
 
 *   Added find_or_create_by_{attribute}! dynamic method. *Andrew White*

data/lib/active_record/associations/collection_association.rb

@@ -154,7 +154,7 @@ module ActiveRecord
       #
       # See delete for more info.
       def delete_all
-        delete(:all).tap do
+        delete(load_target).tap do
           reset
           loaded!
         end
@@ -226,17 +226,7 @@ module ActiveRecord
       # are actually removed from the database, that depends precisely on
       # +delete_records+. They are in any case removed from the collection.
       def delete(*records)
-        dependent = options[:dependent]
-
-        if records.first == :all
-          if loaded? || dependent == :destroy
-            delete_or_destroy(load_target, dependent)
-          else
-            delete_records(:all, dependent)
-          end
-        else
-          delete_or_destroy(records, dependent)
-        end
+        delete_or_destroy(records, options[:dependent])
       end
 
       # Destroy +records+ and remove them from this association calling

data/lib/active_record/associations/has_and_belongs_to_many_association.rb

@@ -47,17 +47,11 @@ module ActiveRecord
             records = load_target if records == :all
             records.each { |record| owner.connection.delete(interpolate(sql, record)) }
           else
-            relation  = join_table
-            condition = relation[reflection.foreign_key].eq(owner.id)
-
-            unless records == :all
-              condition = condition.and(
-                relation[reflection.association_foreign_key].
-                  in(records.map { |x| x.id }.compact)
-              )
-            end
-
-            owner.connection.delete(relation.where(condition).compile_delete)
+            relation = join_table
+            stmt = relation.where(relation[reflection.foreign_key].eq(owner.id).
+              and(relation[reflection.association_foreign_key].in(records.map { |x| x.id }.compact))
+            ).compile_delete
+            owner.connection.delete stmt
           end
         end
 

data/lib/active_record/associations/has_many_association.rb

@@ -89,12 +89,8 @@ module ActiveRecord
             records.each { |r| r.destroy }
             update_counter(-records.length) unless inverse_updates_counter_cache?
           else
-            if records == :all
-              scope = scoped
-            else
-              keys  = records.map { |r| r[reflection.association_primary_key] }
-              scope = scoped.where(reflection.association_primary_key => keys)
-            end
+            keys  = records.map { |r| r[reflection.association_primary_key] }
+            scope = scoped.where(reflection.association_primary_key => keys)
 
             if method == :delete_all
               update_counter(-scope.delete_all)

data/lib/active_record/associations/has_many_through_association.rb

@@ -126,10 +126,6 @@ module ActiveRecord
         def delete_records(records, method)
           ensure_not_nested
 
-          # This is unoptimised; it will load all the target records
-          # even when we just want to delete everything.
-          records = load_target if records == :all
-
           scope = through_association.scoped.where(construct_join_attributes(*records))
 
           case method

data/lib/active_record/attribute_methods.rb

@@ -181,7 +181,9 @@ module ActiveRecord
 
     # Returns a hash of all the attributes with their names as keys and the values of the attributes as values.
     def attributes
-      Hash[@attributes.map { |name, _| [name, read_attribute(name)] }]
+      attrs = {}
+      attribute_names.each { |name| attrs[name] = read_attribute(name) }
+      attrs
     end
 
     # Returns an <tt>#inspect</tt>-like string for the value of the

data/lib/active_record/attribute_methods/time_zone_conversion.rb

@@ -42,8 +42,9 @@ module ActiveRecord
                     time = time.is_a?(String) ? Time.zone.parse(time) : time.to_time rescue time
                   end
                   time = time.in_time_zone rescue nil if time
+                  changed = read_attribute(:#{attr_name}) != time
                   write_attribute(:#{attr_name}, original_time)
-                  #{attr_name}_will_change!
+                  #{attr_name}_will_change! if changed
                   @attributes_cache["#{attr_name}"] = time
                 end
               EOV

data/lib/active_record/connection_adapters/abstract_mysql_adapter.rb

@@ -375,7 +375,7 @@ module ActiveRecord
 
       def tables(name = nil, database = nil, like = nil) #:nodoc:
         sql = "SHOW TABLES "
-        sql << "IN #{database} " if database
+        sql << "IN #{quote_table_name(database)} " if database
         sql << "LIKE #{quote(like)}" if like
 
         execute_and_free(sql, 'SCHEMA') do |result|

data/lib/active_record/relation/delegation.rb

@@ -32,12 +32,12 @@ module ActiveRecord
     protected
 
     def method_missing(method, *args, &block)
-      if Array.method_defined?(method)
-        ::ActiveRecord::Delegation.delegate method, :to => :to_a
-        to_a.send(method, *args, &block)
-      elsif @klass.respond_to?(method)
+      if @klass.respond_to?(method)
         ::ActiveRecord::Delegation.delegate_to_scoped_klass(method)
         scoping { @klass.send(method, *args, &block) }
+      elsif Array.method_defined?(method)
+        ::ActiveRecord::Delegation.delegate method, :to => :to_a
+        to_a.send(method, *args, &block)
       elsif arel.respond_to?(method)
         ::ActiveRecord::Delegation.delegate method, :to => :arel
         arel.send(method, *args, &block)
@@ -46,4 +46,4 @@ module ActiveRecord
       end
     end
   end
-end
+end

data/lib/active_record/relation/finder_methods.rb

@@ -190,7 +190,7 @@ module ActiveRecord
 
       join_dependency = construct_join_dependency_for_association_find
       relation = construct_relation_for_association_find(join_dependency)
-      relation = relation.except(:select, :order).select("1").limit(1)
+      relation = relation.except(:select, :order).select("1 AS one").limit(1)
 
       case id
       when Array, Hash
@@ -200,6 +200,8 @@ module ActiveRecord
       end
 
       connection.select_value(relation, "#{name} Exists") ? true : false
+    rescue ThrowResult
+      false
     end
 
     protected

data/lib/active_record/relation/predicate_builder.rb

@@ -1,16 +1,16 @@
 module ActiveRecord
   class PredicateBuilder # :nodoc:
-    def self.build_from_hash(engine, attributes, default_table, check_column = true)
+    def self.build_from_hash(engine, attributes, default_table, allow_table_name = true)
       predicates = attributes.map do |column, value|
         table = default_table
 
-        if value.is_a?(Hash)
+        if allow_table_name && value.is_a?(Hash)
           table = Arel::Table.new(column, engine)
           build_from_hash(engine, value, table, false)
         else
           column = column.to_s
 
-          if check_column && column.include?('.')
+          if allow_table_name && column.include?('.')
             table_name, column = column.split('.', 2)
             table = Arel::Table.new(table_name, engine)
           end

data/lib/active_record/version.rb

@@ -2,7 +2,7 @@ module ActiveRecord
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 2
-    TINY  = 5
+    TINY  = 6
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: activerecord
 version: !ruby/object:Gem::Version 
-  hash: 5
+  hash: 3
   prerelease: 
   segments: 
   - 3
   - 2
-  - 5
-  version: 3.2.5
+  - 6
+  version: 3.2.6
 platform: ruby
 authors: 
 - David Heinemeier Hansson
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-06-01 00:00:00 Z
+date: 2012-06-12 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -25,12 +25,12 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 5
+        hash: 3
         segments: 
         - 3
         - 2
-        - 5
-        version: 3.2.5
+        - 6
+        version: 3.2.6
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
@@ -41,12 +41,12 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 5
+        hash: 3
         segments: 
         - 3
         - 2
-        - 5
-        version: 3.2.5
+        - 6
+        version: 3.2.6
   type: :runtime
   version_requirements: *id002
 - !ruby/object:Gem::Dependency