Created
June 13, 2012 03:42
-
-
Save boone/2921706 to your computer and use it in GitHub Desktop.
Monkey patch for CVE-2012-2695 on Rails 2.3.14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Monkey patch for CVE-2012-2695 on Rails 2.3.14 | |
| # put this file in your config/initializers directory | |
| # comments/corrections: https://gist.github.com/2921706 | |
| # Ruby on Rails SQL Injection | |
| # based on a patch from @presidentbeef | |
| # https://rubyonrails-security.googlegroups.com/attach/aee3413fb038bf56/2-3-sql-injection.patch?view=1&part=3 | |
| module ActiveRecord | |
| class Base | |
| class << self # Class methods | |
| protected | |
| def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true) | |
| attrs = expand_hash_conditions_for_aggregates(attrs) | |
| conditions = attrs.map do |attr, value| | |
| table_name = default_table_name | |
| if not value.is_a?(Hash) | |
| attr = attr.to_s | |
| # Extract table name from qualified attribute names. | |
| if attr.include?('.') and top_level | |
| attr_table_name, attr = attr.split('.', 2) | |
| attr_table_name = connection.quote_table_name(attr_table_name) | |
| else | |
| attr_table_name = table_name | |
| end | |
| attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value) | |
| elsif top_level | |
| sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false) | |
| else | |
| raise ActiveRecord::StatementInvalid | |
| end | |
| end.join(' AND ') | |
| replace_bind_variables(conditions, expand_range_bind_variables(attrs.values)) | |
| end | |
| alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions | |
| end | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment