[DRE-commits] [SCM] ruby-activerecord-2.3.git branch, master, updated. debian/2.3.14-2-7-g90483c0
Antonio Terceiro
terceiro at debian.org
Wed Jan 16 11:21:03 UTC 2013
The following commit has been merged in the master branch:
commit d072785954d4f014511bfb0f439a9a7b0772cd80
Author: Antonio Terceiro <terceiro at debian.org>
Date: Thu Jan 3 11:24:18 2013 -0300
Add upstream patch for CVE-2012-5664
diff --git a/debian/patches/2-3-dynamic_finder_injection.patch b/debian/patches/2-3-dynamic_finder_injection.patch
new file mode 100644
index 0000000..0da4470
--- /dev/null
+++ b/debian/patches/2-3-dynamic_finder_injection.patch
@@ -0,0 +1,54 @@
+From 9de9b359d0d24f70f0f6c5c58a7ad8750684d456 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Sun, 23 Dec 2012 11:07:07 -0800
+Subject: [PATCH] CVE-2012-5664 options hashes should only be extracted if
+ there are extra parameters
+
+---
+ activerecord/lib/active_record/base.rb | 6 +++++-
+ activerecord/test/cases/finder_test.rb | 12 ++++++++++++
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
+index 461007f..809a38c 100755
+--- a/activerecord/lib/active_record/base.rb
++++ b/activerecord/lib/active_record/base.rb
+@@ -1897,7 +1897,11 @@ module ActiveRecord #:nodoc:
+ # end
+ self.class_eval <<-EOS, __FILE__, __LINE__ + 1
+ def self.#{method_id}(*args)
+- options = args.extract_options!
++ options = if args.length > #{attribute_names.size}
++ args.extract_options!
++ else
++ {}
++ end
+ attributes = construct_attributes_from_arguments(
+ [:#{attribute_names.join(',:')}],
+ args
+diff --git a/activerecord/test/cases/finder_test.rb b/activerecord/test/cases/finder_test.rb
+index c779a69..9e3ab92 100644
+--- a/activerecord/test/cases/finder_test.rb
++++ b/activerecord/test/cases/finder_test.rb
+@@ -66,6 +66,18 @@ end
+ class FinderTest < ActiveRecord::TestCase
+ fixtures :companies, :topics, :entrants, :developers, :developers_projects, :posts, :comments, :accounts, :authors, :customers
+
++ def test_find_by_id_with_hash
++ assert_raises(ActiveRecord::StatementInvalid) do
++ Post.find_by_id(:limit => 1)
++ end
++ end
++
++ def test_find_by_title_and_id_with_hash
++ assert_raises(ActiveRecord::StatementInvalid) do
++ Post.find_by_title_and_id('foo', :limit => 1)
++ end
++ end
++
+ def test_find
+ assert_equal(topics(:first).title, Topic.find(1).title)
+ end
+--
+1.7.10.2 (Apple Git-33)
+
diff --git a/debian/patches/series b/debian/patches/series
index 401ba5e..9e176dd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
0001-remove_require_rubygems.patch
activerecord-2.3.5-1.patch
+2-3-dynamic_finder_injection.patch
--
ruby-activerecord-2.3.git
More information about the Pkg-ruby-extras-commits
mailing list