activerecord 4.0.8 → 4.0.9

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of activerecord might be problematic. Click here for more details.

Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +9 -0
  3. data/lib/active_record/relation/query_methods.rb +14 -2
  4. data/lib/active_record/version.rb +1 -1
  5. metadata +7 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: c4745d3312fd56d5ef5c280dbe53dcad6eb2f4a0
4
- data.tar.gz: 96f13ec91a49b5149fdaef774450c1508f436797
3
+ metadata.gz: 1c03598a80e4948e20c4365cd9c27736d19ff1c9
4
+ data.tar.gz: 434049ee7aba353e571a54c3b8658a693ea323c0
5
5
  SHA512:
6
- metadata.gz: 13374d2082e6c5a4c019efffe9295a081b9d7c515e891ee36c8ae46df69fe3e6576a18aa88701033dcaa0d42eeaf2fb9eba0a3547848158cdb4b13b634bafaaa
7
- data.tar.gz: 69da6336fe69511f958d08c902d3b6283eb7634ef772136a2189646056cff17cacb37821bfae07c18375e230585be749d26cc2c1d0ca1f9ffd51bbf6e1b455c8
6
+ metadata.gz: a2009b19504ecb4c0e58fd4c4d527e934bfcf916dcc751250a19b6f216534fb4a2bcbcad81cb13f93e12e4bc3548faffb5325a5df0fab7c7263e5c147d13e5e6
7
+ data.tar.gz: c07330c8216c0d36a0c5bf0a081550469a36647ac26d4cc43a570ddb93c62bf3044fd4fd8631cf11430193f50fb9f04f7c44b1b09b9f7ab9afbd647a24327dca
data/CHANGELOG.md CHANGED
@@ -1,3 +1,12 @@
1
+ ## Rails 4.0.9 (August 18, 2014) ##
2
+
3
+ * Check attributes passed to `create_with` and `where`.
4
+
5
+ Fixes CVE-2014-3514.
6
+
7
+ *Rafael Mendonça França*
8
+
9
+
1
10
  ## Rails 4.0.8 (July 2, 2014) ##
2
11
 
3
12
  * Fix regression added from the latest security fix.
data/lib/active_record/relation/query_methods.rb CHANGED
@@ -1,9 +1,12 @@
1
1
  require 'active_support/core_ext/array/wrap'
2
+ require 'active_model/forbidden_attributes_protection'
2
3
 
3
4
  module ActiveRecord
4
5
  module QueryMethods
5
6
  extend ActiveSupport::Concern
6
7
 
8
+ include ActiveModel::ForbiddenAttributesProtection
9
+
7
10
  # WhereChain objects act as placeholder for queries in which #where does not have any parameter.
8
11
  # In this case, #where must be chained with #not to return a new relation.
9
12
  class WhereChain
@@ -540,7 +543,10 @@ module ActiveRecord
540
543
  if opts == :chain
541
544
  WhereChain.new(self)
542
545
  else
543
- references!(PredicateBuilder.references(opts)) if Hash === opts
546
+ if Hash === opts
547
+ opts = sanitize_forbidden_attributes(opts)
548
+ references!(PredicateBuilder.references(opts))
549
+ end
544
550
 
545
551
  self.where_values += build_where(opts, rest)
546
552
  self
@@ -678,7 +684,13 @@ module ActiveRecord
678
684
  end
679
685
 
680
686
  def create_with!(value) # :nodoc:
681
- self.create_with_value = value ? create_with_value.merge(value) : {}
687
+ if value
688
+ value = sanitize_forbidden_attributes(value)
689
+ self.create_with_value = create_with_value.merge(value)
690
+ else
691
+ self.create_with_value = {}
692
+ end
693
+
682
694
  self
683
695
  end
684
696
 
data/lib/active_record/version.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  module ActiveRecord
2
2
  # Returns the version of the currently loaded ActiveRecord as a Gem::Version
3
3
  def self.version
4
- Gem::Version.new "4.0.8"
4
+ Gem::Version.new "4.0.9"
5
5
  end
6
6
 
7
7
  module VERSION #:nodoc:
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activerecord
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.0.8
4
+ version: 4.0.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-07-02 00:00:00.000000000 Z
11
+ date: 2014-08-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 4.0.8
19
+ version: 4.0.9
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 4.0.8
26
+ version: 4.0.9
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 4.0.8
33
+ version: 4.0.9
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 4.0.8
40
+ version: 4.0.9
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: arel
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -265,3 +265,4 @@ signing_key:
265
265
  specification_version: 4
266
266
  summary: Object-relational mapper framework (part of Rails).
267
267
  test_files: []
268
+ has_rdoc: