activerecord 4.0.2 → 4.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: dc74a2593fb6cc4a95438536b2b4e118778d4f3b
-  data.tar.gz: 3b17d737b87ec85132bf0fc5ce145c53fad65438
+  metadata.gz: 6db6e96ad6545b979c2f76d92bce1f6062e5f3b7
+  data.tar.gz: d8195989b1dc14af19653ff60158301d1bacb0d9
 SHA512:
-  metadata.gz: 9f924a16123ae4b161d2664b050e14d435b011f0ba8dc6951aa564f5e379676f06ec08468edfdf34025f8607aaf0d41e4d4bb6c24304ce0b0ebb468b271aa77f
-  data.tar.gz: 831409dfd793544efc397938e886d62daa9317814d6da28f5218b71c25f128e216301e65e449ed103ac4d7660341ebef4983bd715484d84c610afa47bc303d06
+  metadata.gz: ac29a96f859a590c33dfdcd670342b133a4871f1db0b19c5d3c31b6fe0ca3e54b97aef90995a0b8d32e71028bcdfb1abdeb4b2d3a5ae8af94eeb6c80ab127424
+  data.tar.gz: 11b902aa9480022875b6e268f7819b5af03e8fa99009d342aa1348924bfaf829f730cd916330c0e5e707c4cd478f841ef56a75093b8c020d829c90d2b60b1381

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+*   Correctly escape PostgreSQL arrays.
+
+    Fixes: CVE-2014-0080
+
+
+## Rails 4.0.2 (December 02, 2013) ##
+
+*No changes*
+
+
 ## Rails 4.0.1 (November 01, 2013) ##
 
 *   `NullRelation#pluck` takes a list of columns

data/lib/active_record/connection_adapters/postgresql/cast.rb

@@ -138,12 +138,16 @@ module ActiveRecord
             end
           end
 
+          ARRAY_ESCAPE = "\\" * 2 * 2 # escape the backslash twice for PG arrays
+
           def quote_and_escape(value)
             case value
             when "NULL"
               value
             else
-              "\"#{value.gsub(/"/,"\\\"")}\""
+              value = value.gsub(/\\/, ARRAY_ESCAPE)
+              value.gsub!(/"/,"\\\"")
+              "\"#{value}\""
             end
           end
       end

data/lib/active_record/version.rb

@@ -1,7 +1,7 @@
 module ActiveRecord
   # Returns the version of the currently loaded ActiveRecord as a Gem::Version
   def self.version
-    Gem::Version.new "4.0.2"
+    Gem::Version.new "4.0.3"
   end
 
   module VERSION #:nodoc:

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activerecord
 version: !ruby/object:Gem::Version
-  version: 4.0.2
+  version: 4.0.3
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-03 00:00:00.000000000 Z
+date: 2014-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 4.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 4.0.3
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 4.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 4.0.3
 - !ruby/object:Gem::Dependency
   name: arel
   requirement: !ruby/object:Gem::Requirement
@@ -80,8 +80,10 @@ files:
 - README.rdoc
 - examples/performance.rb
 - examples/simple.rb
+- lib/active_record.rb
 - lib/active_record/aggregations.rb
 - lib/active_record/association_relation.rb
+- lib/active_record/associations.rb
 - lib/active_record/associations/alias_tracker.rb
 - lib/active_record/associations/association.rb
 - lib/active_record/associations/association_scope.rb
@@ -101,11 +103,12 @@ files:
 - lib/active_record/associations/has_many_through_association.rb
 - lib/active_record/associations/has_one_association.rb
 - lib/active_record/associations/has_one_through_association.rb
+- lib/active_record/associations/join_dependency.rb
 - lib/active_record/associations/join_dependency/join_association.rb
 - lib/active_record/associations/join_dependency/join_base.rb
 - lib/active_record/associations/join_dependency/join_part.rb
-- lib/active_record/associations/join_dependency.rb
 - lib/active_record/associations/join_helper.rb
+- lib/active_record/associations/preloader.rb
 - lib/active_record/associations/preloader/association.rb
 - lib/active_record/associations/preloader/belongs_to.rb
 - lib/active_record/associations/preloader/collection_association.rb
@@ -116,11 +119,10 @@ files:
 - lib/active_record/associations/preloader/has_one_through.rb
 - lib/active_record/associations/preloader/singular_association.rb
 - lib/active_record/associations/preloader/through_association.rb
-- lib/active_record/associations/preloader.rb
 - lib/active_record/associations/singular_association.rb
 - lib/active_record/associations/through_association.rb
-- lib/active_record/associations.rb
 - lib/active_record/attribute_assignment.rb
+- lib/active_record/attribute_methods.rb
 - lib/active_record/attribute_methods/before_type_cast.rb
 - lib/active_record/attribute_methods/dirty.rb
 - lib/active_record/attribute_methods/primary_key.rb
@@ -129,7 +131,6 @@ files:
 - lib/active_record/attribute_methods/serialization.rb
 - lib/active_record/attribute_methods/time_zone_conversion.rb
 - lib/active_record/attribute_methods/write.rb
-- lib/active_record/attribute_methods.rb
 - lib/active_record/autosave_association.rb
 - lib/active_record/base.rb
 - lib/active_record/callbacks.rb
@@ -176,9 +177,9 @@ files:
 - lib/active_record/locking/optimistic.rb
 - lib/active_record/locking/pessimistic.rb
 - lib/active_record/log_subscriber.rb
+- lib/active_record/migration.rb
 - lib/active_record/migration/command_recorder.rb
 - lib/active_record/migration/join_table.rb
-- lib/active_record/migration.rb
 - lib/active_record/model_schema.rb
 - lib/active_record/nested_attributes.rb
 - lib/active_record/null_relation.rb
@@ -192,6 +193,7 @@ files:
 - lib/active_record/railties/jdbcmysql_error.rb
 - lib/active_record/readonly_attributes.rb
 - lib/active_record/reflection.rb
+- lib/active_record/relation.rb
 - lib/active_record/relation/batches.rb
 - lib/active_record/relation/calculations.rb
 - lib/active_record/relation/delegation.rb
@@ -200,16 +202,15 @@ files:
 - lib/active_record/relation/predicate_builder.rb
 - lib/active_record/relation/query_methods.rb
 - lib/active_record/relation/spawn_methods.rb
-- lib/active_record/relation.rb
 - lib/active_record/result.rb
 - lib/active_record/runtime_registry.rb
 - lib/active_record/sanitization.rb
 - lib/active_record/schema.rb
 - lib/active_record/schema_dumper.rb
 - lib/active_record/schema_migration.rb
+- lib/active_record/scoping.rb
 - lib/active_record/scoping/default.rb
 - lib/active_record/scoping/named.rb
-- lib/active_record/scoping.rb
 - lib/active_record/serialization.rb
 - lib/active_record/serializers/xml_serializer.rb
 - lib/active_record/statement_cache.rb
@@ -225,19 +226,18 @@ files:
 - lib/active_record/timestamp.rb
 - lib/active_record/transactions.rb
 - lib/active_record/translation.rb
+- lib/active_record/validations.rb
 - lib/active_record/validations/associated.rb
 - lib/active_record/validations/presence.rb
 - lib/active_record/validations/uniqueness.rb
-- lib/active_record/validations.rb
 - lib/active_record/version.rb
-- lib/active_record.rb
+- lib/rails/generators/active_record.rb
 - lib/rails/generators/active_record/migration/migration_generator.rb
 - lib/rails/generators/active_record/migration/templates/create_table_migration.rb
 - lib/rails/generators/active_record/migration/templates/migration.rb
 - lib/rails/generators/active_record/model/model_generator.rb
 - lib/rails/generators/active_record/model/templates/model.rb
 - lib/rails/generators/active_record/model/templates/module.rb
-- lib/rails/generators/active_record.rb
 homepage: http://www.rubyonrails.org
 licenses:
 - MIT
@@ -260,7 +260,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.2
+rubygems_version: 2.2.0
 signing_key: 
 specification_version: 4
 summary: Object-relational mapper framework (part of Rails).