activerecord 4.1.2 → 4.1.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of activerecord might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +9 -0
  3. data/lib/active_record/connection_adapters/postgresql/quoting.rb +4 -3
  4. data/lib/active_record/connection_adapters/postgresql_adapter.rb +1 -1
  5. data/lib/active_record/gem_version.rb +1 -1
  6. metadata +7 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1ef055204f89a711cb59cd10a0643ba8613a9689
4
- data.tar.gz: 393b6f3e3e20e28b82a4a14a70d2f74787f1e11c
3
+ metadata.gz: 54d877cf2dca612ca481408ab73b80142de0a312
4
+ data.tar.gz: eb54439fcecf1f63c0ee02c561aaf7b3a5809f68
5
5
  SHA512:
6
- metadata.gz: 3234a335fc5a6c7f7ab493535051416f07a37db67e0ad07dbbf92db0450ee9ff318c1e494b6b3921cc5f3f23765d618f378ec5bd68e898ce1805f24d9f37da8e
7
- data.tar.gz: a0cba43b092519e6f2c66269c38a3dca6d7ea9171c0a0e71c7726663dd05f36e68b9742a87c06de6efe2e5cea1a9e8f59272b11943e8c9483c1cc314e7e61d0f
6
+ metadata.gz: 27f307b733498adb7ee0bc3c1feee3b03898258a6f0286b08740a408deb3d4aceb5652b869dad962e135bae7229f2030677e2fe3679d8bbbee58090523cafa2f
7
+ data.tar.gz: 1a88c863de3cc5141916031a7521cc61f541457625d672d064bd7f56b634d390d1484525f5037eb6e8c1a8cd4341bb3034ab866e28e99e94db88192ef0130412
data/CHANGELOG.md CHANGED
@@ -1,3 +1,12 @@
1
+ ## Rails 4.1.3 (July 2, 2014) ##
2
+
3
+ * Fix SQL Injection Vulnerability in 'range' quoting.
4
+
5
+ Fixes CVE-2014-3483
6
+
7
+ *Rafael Mendonça França*
8
+
9
+
1
10
  ## Rails 4.1.2 (June 26, 2014) ##
2
11
 
3
12
  * Fix regression on eager loading association based on SQL query rather than
data/lib/active_record/connection_adapters/postgresql/quoting.rb CHANGED
@@ -23,7 +23,8 @@ module ActiveRecord
23
23
  case value
24
24
  when Range
25
25
  if /range$/ =~ sql_type
26
- "'#{PostgreSQLColumn.range_to_string(value)}'::#{sql_type}"
26
+ escaped = quote_string(PostgreSQLColumn.range_to_string(value))
27
+ "#{escaped}::#{sql_type}"
27
28
  else
28
29
  super
29
30
  end
@@ -70,8 +71,8 @@ module ActiveRecord
70
71
  when 'xml' then "xml '#{quote_string(value)}'"
71
72
  when /^bit/
72
73
  case value
73
- when /^[01]*$/ then "B'#{value}'" # Bit-string notation
74
- when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
74
+ when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation
75
+ when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
75
76
  end
76
77
  else
77
78
  super
data/lib/active_record/connection_adapters/postgresql_adapter.rb CHANGED
@@ -819,7 +819,7 @@ module ActiveRecord
819
819
  FEATURE_NOT_SUPPORTED = "0A000" #:nodoc:
820
820
 
821
821
  def exec_no_cache(sql, name, binds)
822
- log(sql, name, binds) { @connection.async_exec(sql) }
822
+ log(sql, name, binds) { @connection.async_exec(sql, []) }
823
823
  end
824
824
 
825
825
  def exec_cache(sql, name, binds)
data/lib/active_record/gem_version.rb CHANGED
@@ -7,7 +7,7 @@ module ActiveRecord
7
7
  module VERSION
8
8
  MAJOR = 4
9
9
  MINOR = 1
10
- TINY = 2
10
+ TINY = 3
11
11
  PRE = nil
12
12
 
13
13
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activerecord
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.1.2
4
+ version: 4.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-06-26 00:00:00.000000000 Z
11
+ date: 2014-07-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 4.1.2
19
+ version: 4.1.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 4.1.2
26
+ version: 4.1.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: activemodel
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 4.1.2
33
+ version: 4.1.3
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 4.1.2
40
+ version: 4.1.3
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: arel
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -247,7 +247,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
247
247
  version: '0'
248
248
  requirements: []
249
249
  rubyforge_project:
250
- rubygems_version: 2.2.2
250
+ rubygems_version: 2.3.0
251
251
  signing_key:
252
252
  specification_version: 4
253
253
  summary: Object-relational mapper framework (part of Rails).