[DRE-commits] [SCM] ruby-activerecord-2.3.git branch, master, updated. debian/2.3.14-4-3-gb2a02b7
Ondřej Surý
ondrej at sury.org
Tue Feb 12 16:11:05 UTC 2013
The following commit has been merged in the master branch:
commit c328d3c69d475f836b1b45c08b8e3f3fbc7cffb3
Author: Ondřej Surý <ondrej at sury.org>
Date: Tue Feb 12 17:02:53 2013 +0100
Fix circumvention of attr_protected [CVE-2013-0276]
diff --git a/debian/patches/CVE-2013-0276.patch b/debian/patches/CVE-2013-0276.patch
new file mode 100644
index 0000000..2987a87
--- /dev/null
+++ b/debian/patches/CVE-2013-0276.patch
@@ -0,0 +1,38 @@
+From 9a48f4cf329f66682c34c86822d625d63dbb6919 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Sat, 9 Feb 2013 16:31:04 -0800
+Subject: [PATCH] fixing attr_protected CVE-2013-0276
+
+---
+ activerecord/lib/active_record/attribute_methods.rb | 2 +-
+ activerecord/lib/active_record/base.rb | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/lib/active_record/attribute_methods.rb
++++ b/lib/active_record/attribute_methods.rb
+@@ -130,7 +130,7 @@ module ActiveRecord
+ # Suffixes a, ?, c become regexp /(a|\?|c)$/
+ def rebuild_attribute_method_regexp
+ suffixes = attribute_method_suffixes.map { |s| Regexp.escape(s) }
+- @@attribute_method_regexp = /(#{suffixes.join('|')})$/.freeze
++ @@attribute_method_regexp = /(#{suffixes.join('|')})\z/.freeze
+ end
+
+ # Default to =, ?, _before_type_cast
+--- a/lib/active_record/base.rb
++++ b/lib/active_record/base.rb
+@@ -2998,11 +2998,11 @@ module ActiveRecord #:nodoc:
+ def remove_attributes_protected_from_mass_assignment(attributes)
+ safe_attributes =
+ if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
+- attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
++ attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
+ elsif self.class.protected_attributes.nil?
+- attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
++ attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/m, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
+ elsif self.class.accessible_attributes.nil?
+- attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
++ attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/m,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
+ else
+ raise "Declare either attr_protected or attr_accessible for #{self.class}, but not both."
+ end
diff --git a/debian/patches/series b/debian/patches/series
index a4803e0..0cba677 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
activerecord-2.3.5-1.patch
2-3-dynamic_finder_injection.patch
CVE-2013-0155.patch
+CVE-2013-0276.patch
--
ruby-activerecord-2.3.git
More information about the Pkg-ruby-extras-commits
mailing list