[DRE-commits] [SCM] ruby-activerecord-2.3.git branch, master, updated. debian/2.3.14-4-3-gb2a02b7
Ondřej Surý
ondrej at sury.org
Tue Feb 12 16:11:06 UTC 2013
The following commit has been merged in the master branch:
commit 88a22155e6ee0d5b9f151cd7ccded3af3afb871f
Author: Ondřej Surý <ondrej at sury.org>
Date: Tue Feb 12 17:03:26 2013 +0100
Fix serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]
diff --git a/debian/patches/CVE-2013-0277.patch b/debian/patches/CVE-2013-0277.patch
new file mode 100644
index 0000000..e9aae12
--- /dev/null
+++ b/debian/patches/CVE-2013-0277.patch
@@ -0,0 +1,58 @@
+From d4a53b2e02106c6734bbfea2a0e209febd5f36bd Mon Sep 17 00:00:00 2001
+From: Tobias Kraze <tobias at kraze.eu>
+Date: Fri, 8 Feb 2013 12:52:10 +0100
+Subject: [PATCH] fix serialization vulnerability
+
+---
+ .../lib/active_record/attribute_methods.rb | 17 ++++++++++++++++-
+ activerecord/test/cases/base_test.rb | 6 ++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+--- a/lib/active_record/attribute_methods.rb
++++ b/lib/active_record/attribute_methods.rb
+@@ -80,7 +80,9 @@ module ActiveRecord
+ end
+
+ unless instance_method_already_implemented?("#{name}=")
+- if create_time_zone_conversion_attribute?(name, column)
++ if self.serialized_attributes[name]
++ define_write_method_for_serialized_attribute(name)
++ elsif create_time_zone_conversion_attribute?(name, column)
+ define_write_method_for_time_zone_conversion(name)
+ else
+ define_write_method(name.to_sym)
+@@ -184,6 +186,19 @@ module ActiveRecord
+ def define_write_method(attr_name)
+ evaluate_attribute_method attr_name, "def #{attr_name}=(new_value);write_attribute('#{attr_name}', new_value);end", "#{attr_name}="
+ end
++
++ # Defined for all serialized attributes. Disallows assigning already serialized YAML.
++ def define_write_method_for_serialized_attribute(attr_name)
++ method_body = <<-EOV
++ def #{attr_name}=(value)
++ if value.is_a?(String) and value =~ /^---/
++ raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues."
++ end
++ write_attribute(:#{attr_name}, value)
++ end
++ EOV
++ evaluate_attribute_method attr_name, method_body, "#{attr_name}="
++ end
+
+ # Defined for all +datetime+ and +timestamp+ attributes when +time_zone_aware_attributes+ are enabled.
+ # This enhanced write method will automatically convert the time passed to it to the zone stored in Time.zone.
+--- a/test/cases/base_test.rb
++++ b/test/cases/base_test.rb
+@@ -1499,6 +1499,12 @@ class BasicsTest < ActiveRecord::TestCas
+ assert_nil topic.content
+ end
+
++ def test_should_raise_exception_on_assigning_already_serialized_content
++ topic = Topic.new
++ serialized_content = %w[foo bar].to_yaml
++ assert_raise(ActiveRecord::ActiveRecordError) { topic.content = serialized_content }
++ end
++
+ def test_should_raise_exception_on_serialized_attribute_with_type_mismatch
+ myobj = MyObject.new('value1', 'value2')
+ topic = Topic.new(:content => myobj)
diff --git a/debian/patches/series b/debian/patches/series
index 0cba677..b3fba31 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ activerecord-2.3.5-1.patch
2-3-dynamic_finder_injection.patch
CVE-2013-0155.patch
CVE-2013-0276.patch
+CVE-2013-0277.patch
--
ruby-activerecord-2.3.git
More information about the Pkg-ruby-extras-commits
mailing list