Patch sql injection vulnerability when using integer or float columns.
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4626 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
This commit is contained in:
parent
d70d521955
commit
99e9faeda8
@ -1,5 +1,7 @@
|
||||
*SVN*
|
||||
|
||||
* Patch sql injection vulnerability when using integer or float columns. [Jamis Buck]
|
||||
|
||||
* Allow #count through a has_many association to accept :include. [Dan Peterson]
|
||||
|
||||
* create_table rdoc: suggest :id => false for habtm join tables. [Zed Shaw]
|
||||
|
@ -11,7 +11,8 @@ def quote(value, column = nil)
|
||||
when String
|
||||
if column && column.type == :binary && column.class.respond_to?(:string_to_binary)
|
||||
"'#{quote_string(column.class.string_to_binary(value))}'" # ' (for ruby-mode)
|
||||
elsif column && [:integer, :float].include?(column.type)
|
||||
elsif column && [:integer, :float].include?(column.type)
|
||||
value = column.type == :integer ? value.to_i : value.to_f
|
||||
value.to_s
|
||||
else
|
||||
"'#{quote_string(value)}'" # ' (for ruby-mode)
|
||||
|
@ -961,6 +961,12 @@ def test_quote_keys
|
||||
assert_equal("<baz>", inverted["quux"])
|
||||
end
|
||||
|
||||
def test_sql_injection_via_find
|
||||
assert_raises(ActiveRecord::RecordNotFound) do
|
||||
Topic.find("123456 OR id > 0")
|
||||
end
|
||||
end
|
||||
|
||||
def test_column_name_properly_quoted
|
||||
col_record = ColumnName.new
|
||||
col_record.references = 40
|
||||
|
Loading…
Reference in New Issue
Block a user