acts_as_taggable 2.0.0 → 2.0.1

data/CHANGELOG

@@ -1,3 +1,8 @@
+2.0.1
+    FEATURE: Source code now available via Subversion
+    BUGFIX: Typo fix in find_related_tags
+    SECURITY BUGFIX: Added sanitizer to all tag searching to prevent SQL injection
+    
 2.0
     FEATURE:Added in count_uniq_tagged with - (Patch by Lon Baker)
     BUGFIX: Fixed typos - (Patch Blair Zajac)

data/lib/taggable.rb

@@ -263,8 +263,10 @@ module ActiveRecord
 
           o, o_pk, o_fk, t, tn, t_pk, t_fk, jt = set_locals_for_sql
           sql = "SELECT #{o}.* FROM #{jt}, #{o}, #{t} WHERE #{jt}.#{t_fk} = #{t}.#{t_pk} 
-                AND (#{t}.#{tn} = '#{tag_names.join("' OR #{t}.#{tn}='")}')
                 AND #{o}.#{o_pk} = #{jt}.#{o_fk}"
+          sql << " AND  ("
+          sql << tag_names.collect {|tag| sanitize_sql( ["#{t}.#{tn} = ?",tag])}.join(" OR ")
+          sql << ")"
           sql << " AND #{sanitize_sql(options[:conditions])}" if options[:conditions]
           sql << " GROUP BY #{o}.#{o_pk}"
           sql << " HAVING COUNT(#{o}.#{o_pk}) = #{tag_names.length}" if options[:all]              
@@ -342,9 +344,11 @@ module ActiveRecord
 
             o, o_pk, o_fk, t, tn, t_pk, t_fk, jt = set_locals_for_sql
             sql = "SELECT COUNT(DISTINCT #{o}.#{o_pk}) FROM #{jt}, #{o}, #{t} WHERE #{jt}.#{t_fk} = #{t}.#{t_pk} 
-                   AND (#{t}.#{tn} = '#{tag_names.join("' OR #{t}.#{tn} ='")}')
                    AND #{o}.#{o_pk} = #{jt}.#{o_fk}"
-            sql << " AND #{sanitize_sql(options[:conditions])}" if options[:conditions]
+          sql << " AND  ("
+          sql << tag_names.collect {|tag| sanitize_sql( ["#{t}.#{tn} = ?",tag])}.join(" OR ")
+          sql << ")"
+          sql << " AND #{sanitize_sql(options[:conditions])}" if options[:conditions]
             count_by_sql(sql)
         end
         
@@ -395,15 +399,17 @@ module ActiveRecord
           o, o_pk, o_fk, t, tn, t_pk, t_fk, jt = set_locals_for_sql
           
           sql = "SELECT jt.#{o_fk} AS o_id FROM #{jt} jt, #{t} t 
-                 WHERE jt.#{t_fk} = t.#{t_pk} 
-                 AND (t.#{tn} IN ('#{tag_names.uniq.join("', '")}')) 
-                 GROUP BY jt.#{o_fk} 
+                 WHERE jt.#{t_fk} = t.#{t_pk} "
+          sql << " AND  ( t.#{tn} IN ("
+          sql << tag_names.uniq.collect {|tag| sanitize_sql(tag)}.join(",")
+          sql << "))"
+          sql << "GROUP BY jt.#{o_fk} 
                  HAVING COUNT(jt.#{o_fk})=#{tag_names.length}"
           
           o_ids = connection.select_all(sql).map { |row| row['o_id'] }
           return options[:raw] ? [] : {} if o_ids.length < 1
 
-          sql = "SELECT t.#{t_pk} AS id, t.#{n} AS #{tn}, COUNT(jt.#{o_fk}) AS count FROM #{jt} jt, #{t} t 
+          sql = "SELECT t.#{t_pk} AS id, t.#{tn} AS #{tn}, COUNT(jt.#{o_fk}) AS count FROM #{jt} jt, #{t} t 
                  WHERE jt.#{o_fk} IN (#{o_ids.join(",")}) 
                  AND t.#{t_pk} = jt.#{t_fk}
                  GROUP BY jt.#{t_fk} 

metadata

@@ -3,14 +3,14 @@ rubygems_version: 0.8.11
 specification_version: 1
 name: acts_as_taggable
 version: !ruby/object:Gem::Version 
-  version: 2.0.0
-date: 2006-07-28 00:00:00 -05:00
+  version: 2.0.1
+date: 2006-08-02 00:00:00 -05:00
 summary: An acts-as Mixin for easy applying and searching tags/folksnomies on Active Record objects
 require_paths: 
 - lib
-email: "ruby @nospam@ economysizegeek "
-homepage: http://taggable.rubyforge.org/
-rubyforge_project: http://rubyforge.org/projects/taggable/
+email: ruby @nospam@ economysizegeek.com
+homepage: 
+rubyforge_project: 
 description: 
 autorequire: taggable
 default_executable: 
@@ -26,12 +26,10 @@ platform: ruby
 signing_key: 
 cert_chain: 
 authors: 
-- Demetrius Nunes, Dirk Elmendorf
+- Demetrius Nunes,Dirk Elmendorf
 files: 
 - lib/taggable.rb
-- test/fixtures
 - test/acts_as_taggable_test.rb
-- test/debug.log
 - README
 - CHANGELOG
 test_files: []