|
From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
|
|
From: Aaron Patterson <aaron.patterson@gmail.com>
|
|
Date: Fri, 4 Jan 2013 12:02:22 -0800
|
|
Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
|
|
[CVE-2013-0155] * dealing with empty hashes. Thanks
|
|
Damien Mathieu
|
|
|
|
---
|
|
.../lib/active_record/relation/predicate_builder.rb | 7 ++++++-
|
|
1 files changed, 7 insertions(+), 1 deletions(-)
|
|
|
|
diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
|
|
index 6b118b4..b31fdfd 100644
|
|
--- a/activerecord/lib/active_record/relation/predicate_builder.rb
|
|
+++ b/activerecord/lib/active_record/relation/predicate_builder.rb
|
|
@@ -6,7 +6,12 @@ module ActiveRecord
|
|
|
|
if allow_table_name && value.is_a?(Hash)
|
|
table = Arel::Table.new(column, engine)
|
|
- build_from_hash(engine, value, table, false)
|
|
+
|
|
+ if value.empty?
|
|
+ '1 = 2'
|
|
+ else
|
|
+ build_from_hash(engine, value, table, false)
|
|
+ end
|
|
else
|
|
column = column.to_s
|
|
|
|
--
|
|
1.7.10.2 (Apple Git-33)
|
|
|
|
|