Patch sql injection vulnerability when using integer or float columns.

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4626 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2006-07-27 18:29:49 +00:00 · 2006-07-27 18:29:49 +00:00 · 99e9faeda8
commit 99e9faeda8
parent d70d521955
3 changed files with 10 additions and 1 deletions
--- a/activerecord/CHANGELOG
+++ b/activerecord/CHANGELOG
@ -1,5 +1,7 @@
 *SVN*

+* Patch sql injection vulnerability when using integer or float columns. [Jamis Buck]
+
 * Allow #count through a has_many association to accept :include.  [Dan Peterson]

 * create_table rdoc: suggest :id => false for habtm join tables. [Zed Shaw]
--- a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb
+++ b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb
@ -11,7 +11,8 @@ def quote(value, column = nil)
          when String
            if column && column.type == :binary && column.class.respond_to?(:string_to_binary)
              "'#{quote_string(column.class.string_to_binary(value))}'" # ' (for ruby-mode)
-            elsif column && [:integer, :float].include?(column.type) 
+            elsif column && [:integer, :float].include?(column.type)
+              value = column.type == :integer ? value.to_i : value.to_f
              value.to_s
            else
              "'#{quote_string(value)}'" # ' (for ruby-mode)
--- a/activerecord/test/base_test.rb
+++ b/activerecord/test/base_test.rb
@ -961,6 +961,12 @@ def test_quote_keys
    assert_equal("<baz>", inverted["quux"])
  end

+  def test_sql_injection_via_find
+    assert_raises(ActiveRecord::RecordNotFound) do
+      Topic.find("123456 OR id > 0")
+    end
+  end
+
  def test_column_name_properly_quoted
    col_record = ColumnName.new
    col_record.references = 40