[DRE-commits] [SCM] ruby-activerecord-2.3.git branch, master, updated. debian/2.3.14-4-3-gb2a02b7

Tue Feb 12 16:11:06 UTC 2013

The following commit has been merged in the master branch:
commit 88a22155e6ee0d5b9f151cd7ccded3af3afb871f
Author: Ondřej Surý <ondrej at sury.org>
Date:   Tue Feb 12 17:03:26 2013 +0100

    Fix serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]

diff --git a/debian/patches/CVE-2013-0277.patch b/debian/patches/CVE-2013-0277.patch
new file mode 100644
index 0000000..e9aae12
--- /dev/null
+++ b/debian/patches/CVE-2013-0277.patch
@@ -0,0 +1,58 @@
+From d4a53b2e02106c6734bbfea2a0e209febd5f36bd Mon Sep 17 00:00:00 2001
+From: Tobias Kraze <tobias at kraze.eu>
+Date: Fri, 8 Feb 2013 12:52:10 +0100
+Subject: [PATCH] fix serialization vulnerability
+
+---
+ .../lib/active_record/attribute_methods.rb         |   17 ++++++++++++++++-
+ activerecord/test/cases/base_test.rb               |    6 ++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+--- a/lib/active_record/attribute_methods.rb
++++ b/lib/active_record/attribute_methods.rb
+@@ -80,7 +80,9 @@ module ActiveRecord
+           end
+ 
+           unless instance_method_already_implemented?("#{name}=")
+-            if create_time_zone_conversion_attribute?(name, column)
++            if self.serialized_attributes[name]
++              define_write_method_for_serialized_attribute(name)
++            elsif create_time_zone_conversion_attribute?(name, column)
+               define_write_method_for_time_zone_conversion(name)
+             else  
+               define_write_method(name.to_sym)
+@@ -184,6 +186,19 @@ module ActiveRecord
+         def define_write_method(attr_name)
+           evaluate_attribute_method attr_name, "def #{attr_name}=(new_value);write_attribute('#{attr_name}', new_value);end", "#{attr_name}="
+         end
++
++        # Defined for all serialized attributes. Disallows assigning already serialized YAML.
++        def define_write_method_for_serialized_attribute(attr_name)
++          method_body = <<-EOV
++            def #{attr_name}=(value)
++              if value.is_a?(String) and value =~ /^---/
++                raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues."
++              end
++              write_attribute(:#{attr_name}, value)
++            end
++          EOV
++          evaluate_attribute_method attr_name, method_body, "#{attr_name}="
++        end
+         
+         # Defined for all +datetime+ and +timestamp+ attributes when +time_zone_aware_attributes+ are enabled.
+         # This enhanced write method will automatically convert the time passed to it to the zone stored in Time.zone.
+--- a/test/cases/base_test.rb
++++ b/test/cases/base_test.rb
+@@ -1499,6 +1499,12 @@ class BasicsTest < ActiveRecord::TestCas
+     assert_nil topic.content
+   end
+ 
++  def test_should_raise_exception_on_assigning_already_serialized_content
++    topic = Topic.new
++    serialized_content = %w[foo bar].to_yaml
++    assert_raise(ActiveRecord::ActiveRecordError) { topic.content = serialized_content }
++  end
++
+   def test_should_raise_exception_on_serialized_attribute_with_type_mismatch
+     myobj = MyObject.new('value1', 'value2')
+     topic = Topic.new(:content => myobj)
diff --git a/debian/patches/series b/debian/patches/series
index 0cba677..b3fba31 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ activerecord-2.3.5-1.patch
 2-3-dynamic_finder_injection.patch
 CVE-2013-0155.patch
 CVE-2013-0276.patch
+CVE-2013-0277.patch

-- 
ruby-activerecord-2.3.git

