[DRE-commits] [SCM] ruby-activerecord-2.3.git branch, master, updated. debian/2.3.14-2-7-g90483c0

[Antonio Terceiro]

The following commit has been merged in the master branch:
commit d072785954d4f014511bfb0f439a9a7b0772cd80
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Thu Jan 3 11:24:18 2013 -0300

    Add upstream patch for CVE-2012-5664

diff --git a/debian/patches/2-3-dynamic_finder_injection.patch b/debian/patches/2-3-dynamic_finder_injection.patch
new file mode 100644
index 0000000..0da4470
--- /dev/null
+++ b/debian/patches/2-3-dynamic_finder_injection.patch
@@ -0,0 +1,54 @@
+From 9de9b359d0d24f70f0f6c5c58a7ad8750684d456 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Sun, 23 Dec 2012 11:07:07 -0800
+Subject: [PATCH] CVE-2012-5664 options hashes should only be extracted if
+ there are extra parameters
+
+---
+ activerecord/lib/active_record/base.rb |    6 +++++-
+ activerecord/test/cases/finder_test.rb |   12 ++++++++++++
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
+index 461007f..809a38c 100755
+--- a/activerecord/lib/active_record/base.rb
++++ b/activerecord/lib/active_record/base.rb
+@@ -1897,7 +1897,11 @@ module ActiveRecord #:nodoc:
+               # end
+               self.class_eval <<-EOS, __FILE__, __LINE__ + 1
+                 def self.#{method_id}(*args)
+-                  options = args.extract_options!
++                  options = if args.length > #{attribute_names.size}
++                              args.extract_options!
++                            else
++                              {}
++                            end
+                   attributes = construct_attributes_from_arguments(
+                     [:#{attribute_names.join(',:')}],
+                     args
+diff --git a/activerecord/test/cases/finder_test.rb b/activerecord/test/cases/finder_test.rb
+index c779a69..9e3ab92 100644
+--- a/activerecord/test/cases/finder_test.rb
++++ b/activerecord/test/cases/finder_test.rb
+@@ -66,6 +66,18 @@ end
+ class FinderTest < ActiveRecord::TestCase
+   fixtures :companies, :topics, :entrants, :developers, :developers_projects, :posts, :comments, :accounts, :authors, :customers
+ 
++  def test_find_by_id_with_hash
++    assert_raises(ActiveRecord::StatementInvalid) do
++      Post.find_by_id(:limit => 1)
++    end
++  end
++
++  def test_find_by_title_and_id_with_hash
++    assert_raises(ActiveRecord::StatementInvalid) do
++      Post.find_by_title_and_id('foo', :limit => 1)
++    end
++  end
++
+   def test_find
+     assert_equal(topics(:first).title, Topic.find(1).title)
+   end
+-- 
+1.7.10.2 (Apple Git-33)
+
diff --git a/debian/patches/series b/debian/patches/series
index 401ba5e..9e176dd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 0001-remove_require_rubygems.patch
 activerecord-2.3.5-1.patch
+2-3-dynamic_finder_injection.patch

-- 
ruby-activerecord-2.3.git