[DRE-commits] [SCM] ruby-activemodel-3.2.git branch, master-experimental, updated. debian/3.2.6-2-17-g0484034

[Ondřej Surý]

The following commit has been merged in the master-experimental branch:
commit 36f064f5e16d4f98fa8bf8276379930c11092e35
Author: Ondřej Surý <ondrej at sury.org>
Date:   Tue Feb 12 16:53:21 2013 +0100

    Fix circumvention of attr_protected [CVE-2013-0276]

diff --git a/debian/patches/CVE-2013-0276.patch b/debian/patches/CVE-2013-0276.patch
new file mode 100644
index 0000000..fe3374a
--- /dev/null
+++ b/debian/patches/CVE-2013-0276.patch
@@ -0,0 +1,34 @@
+From 060bb7250b963609a0d8a5d0559e36b99d2402c6 Mon Sep 17 00:00:00 2001
+From: joernchen of Phenoelit <joernchen at phenoelit.de>
+Date: Sat, 9 Feb 2013 15:46:44 -0800
+Subject: [PATCH] Fix issue with attr_protected where malformed input could
+ circumvent protection
+
+Fixes: CVE-2013-0276
+---
+ activemodel/lib/active_model/attribute_methods.rb                       | 2 +-
+ activemodel/lib/active_model/mass_assignment_security/permission_set.rb | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/active_model/attribute_methods.rb
++++ b/lib/active_model/attribute_methods.rb
+@@ -365,7 +365,7 @@ module ActiveModel
+             end
+ 
+             @prefix, @suffix = options[:prefix] || '', options[:suffix] || ''
+-            @regex = /^(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})$/
++            @regex = /\A(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})\z/
+             @method_missing_target = "#{@prefix}attribute#{@suffix}"
+             @method_name = "#{prefix}%s#{suffix}"
+           end
+--- a/lib/active_model/mass_assignment_security/permission_set.rb
++++ b/lib/active_model/mass_assignment_security/permission_set.rb
+@@ -19,7 +19,7 @@ module ActiveModel
+     protected
+ 
+       def remove_multiparameter_id(key)
+-        key.to_s.gsub(/\(.+/, '')
++        key.to_s.gsub(/\(.+/m, '')
+       end
+     end
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 55525fb..38dbc7b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 remove-rubygems-requirement.patch
+CVE-2013-0276.patch

-- 
ruby-activemodel-3.2.git