Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 675075 Details for
Bug 892866
CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
actionpack-CVE-2013-0155-3-1-null_array_param.patch
actionpack-CVE-2013-0155-3-1-null_array_param.patch (text/plain), 7.56 KB, created by
Kurt Seifried
on 2013-01-08 21:25:30 UTC
(
hide
)
Description:
actionpack-CVE-2013-0155-3-1-null_array_param.patch
Filename:
MIME Type:
Creator:
Kurt Seifried
Created:
2013-01-08 21:25:30 UTC
Size:
7.56 KB
patch
obsolete
>From 2ad700ab62494b44a65927c00078d39e9f69cffb Mon Sep 17 00:00:00 2001 >From: Aaron Patterson <aaron.patterson@gmail.com> >Date: Fri, 4 Jan 2013 12:02:22 -0800 >Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts. > [CVE-2013-0155] * dealing with empty hashes. Thanks > Damien Mathieu > >Conflicts: > actionpack/CHANGELOG.md > activerecord/CHANGELOG.md >--- > actionpack/CHANGELOG.md | 4 ++++ > actionpack/lib/action_dispatch/http/request.rb | 10 ++++------ > .../lib/action_dispatch/middleware/params_parser.rb | 4 ++-- > .../test/dispatch/request/json_params_parsing_test.rb | 15 +++++++++++++++ > .../test/dispatch/request/xml_params_parsing_test.rb | 17 +++++++++++++++++ > activerecord/CHANGELOG.md | 4 ++++ > .../lib/active_record/relation/predicate_builder.rb | 7 ++++++- > activerecord/test/cases/relation/where_test.rb | 16 +++++++++++++++- > 8 files changed, 67 insertions(+), 10 deletions(-) > >diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md >index 8dbae98..2d82648 100644 >--- a/actionpack/CHANGELOG.md >+++ b/actionpack/CHANGELOG.md >@@ -1,3 +1,7 @@ >+## Rails 3.1.10 >+ >+* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] >+ > ## Rails 3.1.9 > > ## Rails 3.1.8 (Aug 9, 2012) >diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb >index b58e6a7..57b7b51 100644 >--- a/actionpack/lib/action_dispatch/http/request.rb >+++ b/actionpack/lib/action_dispatch/http/request.rb >@@ -267,18 +267,14 @@ module ActionDispatch > LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip } > end > >- protected >- > # Remove nils from the params hash > def deep_munge(hash) >- keys = hash.keys.find_all { |k| hash[k] == [nil] } >- keys.each { |k| hash[k] = nil } >- >- hash.each_value do |v| >+ hash.each do |k, v| > case v > when Array > v.grep(Hash) { |x| deep_munge(x) } > v.compact! >+ hash[k] = nil if v.empty? > when Hash > deep_munge(v) > end >@@ -287,6 +283,8 @@ module ActionDispatch > hash > end > >+ protected >+ > def parse_query(qs) > deep_munge(super) > end >diff --git a/actionpack/lib/action_dispatch/middleware/params_parser.rb b/actionpack/lib/action_dispatch/middleware/params_parser.rb >index d4208ca..aaf9680 100644 >--- a/actionpack/lib/action_dispatch/middleware/params_parser.rb >+++ b/actionpack/lib/action_dispatch/middleware/params_parser.rb >@@ -38,13 +38,13 @@ module ActionDispatch > when Proc > strategy.call(request.raw_post) > when :xml_simple, :xml_node >- data = Hash.from_xml(request.body.read) || {} >+ data = request.deep_munge(Hash.from_xml(request.body.read) || {}) > request.body.rewind if request.body.respond_to?(:rewind) > data.with_indifferent_access > when :yaml > YAML.load(request.raw_post) > when :json >- data = ActiveSupport::JSON.decode(request.body) >+ data = request.deep_munge ActiveSupport::JSON.decode(request.body) > request.body.rewind if request.body.respond_to?(:rewind) > data = {:_json => data} unless data.is_a?(Hash) > data.with_indifferent_access >diff --git a/actionpack/test/dispatch/request/json_params_parsing_test.rb b/actionpack/test/dispatch/request/json_params_parsing_test.rb >index d854d55..a9ab1fd 100644 >--- a/actionpack/test/dispatch/request/json_params_parsing_test.rb >+++ b/actionpack/test/dispatch/request/json_params_parsing_test.rb >@@ -30,6 +30,21 @@ class JsonParamsParsingTest < ActionDispatch::IntegrationTest > ) > end > >+ test "nils are stripped from collections" do >+ assert_parses( >+ {"person" => nil}, >+ "{\"person\":[null]}", { 'CONTENT_TYPE' => 'application/json' } >+ ) >+ assert_parses( >+ {"person" => ['foo']}, >+ "{\"person\":[\"foo\",null]}", { 'CONTENT_TYPE' => 'application/json' } >+ ) >+ assert_parses( >+ {"person" => nil}, >+ "{\"person\":[null, null]}", { 'CONTENT_TYPE' => 'application/json' } >+ ) >+ end >+ > test "logs error if parsing unsuccessful" do > with_test_routing do > begin >diff --git a/actionpack/test/dispatch/request/xml_params_parsing_test.rb b/actionpack/test/dispatch/request/xml_params_parsing_test.rb >index 38453df..824dae4 100644 >--- a/actionpack/test/dispatch/request/xml_params_parsing_test.rb >+++ b/actionpack/test/dispatch/request/xml_params_parsing_test.rb >@@ -30,6 +30,23 @@ class XmlParamsParsingTest < ActionDispatch::IntegrationTest > assert_equal "<ok>bar</ok>", resp.body > end > >+ def assert_parses(expected, xml) >+ with_test_routing do >+ post "/parse", xml, default_headers >+ assert_response :ok >+ assert_equal(expected, TestController.last_request_parameters) >+ end >+ end >+ >+ test "nils are stripped from collections" do >+ assert_parses( >+ {"hash" => { "person" => nil} }, >+ "<hash><person type=\"array\"><person nil=\"true\"/></person></hash>") >+ assert_parses( >+ {"hash" => { "person" => ['foo']} }, >+ "<hash><person type=\"array\"><person>foo</person><person nil=\"true\"/></person>\n</hash>") >+ end >+ > test "parses hash params" do > with_test_routing do > xml = "<person><name>David</name></person>" >diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md >index 5603379..56f8009 100644 >--- a/activerecord/CHANGELOG.md >+++ b/activerecord/CHANGELOG.md >@@ -1,3 +1,7 @@ >+## Rails 3.1.10 >+ >+* Fix querying with an empty hash *Damien Mathieu* [CVE-2013-0155] >+ > ## Rails 3.1.9 > > * CVE-2012-5664 ensure that options are never taken from the first parameter >diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb >index b1834c2..21d7589 100644 >--- a/activerecord/lib/active_record/relation/predicate_builder.rb >+++ b/activerecord/lib/active_record/relation/predicate_builder.rb >@@ -6,7 +6,12 @@ module ActiveRecord > > if allow_table_name && value.is_a?(Hash) > table = Arel::Table.new(column, engine) >- build_from_hash(engine, value, table, false) >+ >+ if value.empty? >+ '1 = 2' >+ else >+ build_from_hash(engine, value, table, false) >+ end > else > column = column.to_s > >diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb >index b9eef1d..8015833 100644 >--- a/activerecord/test/cases/relation/where_test.rb >+++ b/activerecord/test/cases/relation/where_test.rb >@@ -1,9 +1,11 @@ > require "cases/helper" > require 'models/post' >+require 'models/comment' >+require 'models/edge' > > module ActiveRecord > class WhereTest < ActiveRecord::TestCase >- fixtures :posts >+ fixtures :posts, :edges > > def test_where_error > assert_raises(ActiveRecord::StatementInvalid) do >@@ -21,5 +23,17 @@ module ActiveRecord > post = Post.first > assert_equal post, Post.where(:posts => { 'id' => post.id }).first > end >+ >+ def test_where_with_table_name_and_empty_hash >+ assert_equal 0, Post.where(:posts => {}).count >+ end >+ >+ def test_where_with_table_name_and_empty_array >+ assert_equal 0, Post.where(:id => []).count >+ end >+ >+ def test_where_with_empty_hash_and_no_foreign_key >+ assert_equal 0, Edge.where(:sink => {}).count >+ end > end > end >-- >1.7.10.2 (Apple Git-33) >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=675075">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 892866
:
674505
|
674506
|
674507
|
674508
|
675074
| 675075 |
675076