Commit 3b69603f authored by Antonio Terceiro's avatar Antonio Terceiro

Imported Upstream version 4.1.5

parent f0ee24cf
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ## ## Rails 4.1.4 (July 2, 2014) ##
* No changes. * No changes.
......
...@@ -7,7 +7,7 @@ def self.gem_version ...@@ -7,7 +7,7 @@ def self.gem_version
module VERSION module VERSION
MAJOR = 4 MAJOR = 4
MINOR = 1 MINOR = 1
TINY = 4 TINY = 5
PRE = nil PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
......
...@@ -7,7 +7,7 @@ def self.gem_version ...@@ -7,7 +7,7 @@ def self.gem_version
module VERSION module VERSION
MAJOR = 4 MAJOR = 4
MINOR = 1 MINOR = 1
TINY = 4 TINY = 5
PRE = nil PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
......
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ## ## Rails 4.1.4 (July 2, 2014) ##
* No changes. * No changes.
......
...@@ -7,7 +7,7 @@ def self.gem_version ...@@ -7,7 +7,7 @@ def self.gem_version
module VERSION module VERSION
MAJOR = 4 MAJOR = 4
MINOR = 1 MINOR = 1
TINY = 4 TINY = 5
PRE = nil PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
......
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ## ## Rails 4.1.4 (July 2, 2014) ##
* No changes. * No changes.
......
...@@ -23,5 +23,6 @@ def sanitize_for_mass_assignment(attributes) ...@@ -23,5 +23,6 @@ def sanitize_for_mass_assignment(attributes)
attributes attributes
end end
end end
alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
end end
end end
...@@ -7,7 +7,7 @@ def self.gem_version ...@@ -7,7 +7,7 @@ def self.gem_version
module VERSION module VERSION
MAJOR = 4 MAJOR = 4
MINOR = 1 MINOR = 1
TINY = 4 TINY = 5
PRE = nil PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
......
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ## ## Rails 4.1.4 (July 2, 2014) ##
* Fix regression added from the latest security fix. * Fix regression added from the latest security fix.
......
...@@ -7,7 +7,7 @@ def self.gem_version ...@@ -7,7 +7,7 @@ def self.gem_version
module VERSION module VERSION
MAJOR = 4 MAJOR = 4
MINOR = 1 MINOR = 1
TINY = 4 TINY = 5
PRE = nil PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
......
require 'active_support/core_ext/array/wrap' require 'active_support/core_ext/array/wrap'
require 'active_model/forbidden_attributes_protection'
module ActiveRecord module ActiveRecord
module QueryMethods module QueryMethods
extend ActiveSupport::Concern extend ActiveSupport::Concern
include ActiveModel::ForbiddenAttributesProtection
# WhereChain objects act as placeholder for queries in which #where does not have any parameter. # WhereChain objects act as placeholder for queries in which #where does not have any parameter.
# In this case, #where must be chained with #not to return a new relation. # In this case, #where must be chained with #not to return a new relation.
class WhereChain class WhereChain
...@@ -561,7 +564,10 @@ def where!(opts = :chain, *rest) # :nodoc: ...@@ -561,7 +564,10 @@ def where!(opts = :chain, *rest) # :nodoc:
if opts == :chain if opts == :chain
WhereChain.new(self) WhereChain.new(self)
else else
references!(PredicateBuilder.references(opts)) if Hash === opts if Hash === opts
opts = sanitize_forbidden_attributes(opts)
references!(PredicateBuilder.references(opts))
end
self.where_values += build_where(opts, rest) self.where_values += build_where(opts, rest)
self self
...@@ -711,7 +717,13 @@ def create_with(value) ...@@ -711,7 +717,13 @@ def create_with(value)
end end
def create_with!(value) # :nodoc: def create_with!(value) # :nodoc:
self.create_with_value = value ? create_with_value.merge(value) : {} if value
value = sanitize_forbidden_attributes(value)
self.create_with_value = create_with_value.merge(value)
else
self.create_with_value = {}
end
self self
end end
......
...@@ -66,4 +66,34 @@ def test_blank_attributes_should_not_raise ...@@ -66,4 +66,34 @@ def test_blank_attributes_should_not_raise
person = Person.new person = Person.new
assert_nil person.assign_attributes(ProtectedParams.new({})) assert_nil person.assign_attributes(ProtectedParams.new({}))
end end
def test_create_with_checks_permitted
params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
assert_raises(ActiveModel::ForbiddenAttributesError) do
Person.create_with(params).create!
end
end
def test_create_with_works_with_params_values
params = ProtectedParams.new(first_name: 'Guille')
person = Person.create_with(first_name: params[:first_name]).create!
assert_equal 'Guille', person.first_name
end
def test_where_checks_permitted
params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
assert_raises(ActiveModel::ForbiddenAttributesError) do
Person.where(params).create!
end
end
def test_where_works_with_params_values
params = ProtectedParams.new(first_name: 'Guille')
person = Person.where(first_name: params[:first_name]).create!
assert_equal 'Guille', person.first_name
end
end end
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ## ## Rails 4.1.4 (July 2, 2014) ##
* No changes. * No changes.
......
...@@ -7,7 +7,7 @@ def self.gem_version ...@@ -7,7 +7,7 @@ def self.gem_version
module VERSION module VERSION
MAJOR = 4 MAJOR = 4
MINOR = 1 MINOR = 1
TINY = 4 TINY = 5
PRE = nil PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
......
## Rails 4.1.5 (August 18, 2014) ##
* No changes.
## Rails 4.1.4 (July 2, 2014) ## ## Rails 4.1.4 (July 2, 2014) ##
* No changes. * No changes.
......
## Rails 4.1.5 (August 18, 2014) ##
* Check attributes passed to `create_with` and `where`.
Fixes CVE-2014-3514.
*Rafael Mendonça França*
## Rails 4.1.4 (July 2, 2014) ## ## Rails 4.1.4 (July 2, 2014) ##
* No changes. * No changes.
......
...@@ -7,7 +7,7 @@ def self.gem_version ...@@ -7,7 +7,7 @@ def self.gem_version
module VERSION module VERSION
MAJOR = 4 MAJOR = 4
MINOR = 1 MINOR = 1
TINY = 4 TINY = 5
PRE = nil PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
......
...@@ -7,7 +7,7 @@ def self.gem_version ...@@ -7,7 +7,7 @@ def self.gem_version
module VERSION module VERSION
MAJOR = 4 MAJOR = 4
MINOR = 1 MINOR = 1
TINY = 4 TINY = 5
PRE = nil PRE = nil
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment