Attachment 913249 Details for Bug 1114427 – 4.1 patch from upstream

[patch] 4.1 patch from upstream

4-1-postgres-sqli.patch (text/plain), 3.29 KB, created by Murray McAllister on 2014-06-30 05:00:10 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Murray McAllister

Created: 2014-06-30 05:00:10 UTC

Size: 3.29 KB

patch

obsolete

>From e9ba192305a655387257ba927d8f0b34227ae3db Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
> <rafaelmfranca@gmail.com>
>Date: Thu, 5 Jun 2014 14:08:40 -0300
>Subject: [PATCH] Fix SQL injection when querying against ranges and bitstrings
>
>Fix CVE-2014-3483 and protect against CVE-2014-3482.
>---
> .../lib/active_record/connection_adapters/postgresql/quoting.rb    | 7 ++++---
> .../lib/active_record/connection_adapters/postgresql_adapter.rb    | 2 +-
> activerecord/test/cases/adapters/postgresql/quoting_test.rb        | 6 ++++++
> 3 files changed, 11 insertions(+), 4 deletions(-)
>
>diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
>index f45274d..36a474d 100644
>--- a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
>+++ b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
>@@ -23,7 +23,8 @@ module ActiveRecord
>           case value
>           when Range
>             if /range$/ =~ sql_type
>-              "'#{PostgreSQLColumn.range_to_string(value)}'::#{sql_type}"
>+              escaped = quote_string(PostgreSQLColumn.range_to_string(value))
>+              "#{escaped}::#{sql_type}"
>             else
>               super
>             end
>@@ -70,8 +71,8 @@ module ActiveRecord
>             when 'xml'   then "xml '#{quote_string(value)}'"
>             when /^bit/
>               case value
>-              when /^[01]*$/      then "B'#{value}'" # Bit-string notation
>-              when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
>+              when /\A[01]*\Z/      then "B'#{value}'" # Bit-string notation
>+              when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
>               end
>             else
>               super
>diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
>index 4d8fcda..b64d6da 100644
>--- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
>+++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
>@@ -819,7 +819,7 @@ module ActiveRecord
>         FEATURE_NOT_SUPPORTED = "0A000" #:nodoc:
> 
>         def exec_no_cache(sql, name, binds)
>-          log(sql, name, binds) { @connection.async_exec(sql) }
>+          log(sql, name, binds) { @connection.async_exec(sql, []) }
>         end
> 
>         def exec_cache(sql, name, binds)
>diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
>index 1122f8b..74e593f 100644
>--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb
>+++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
>@@ -57,6 +57,12 @@ module ActiveRecord
>           assert_equal "'1970-01-01 00:00:00.000000'", @conn.quote(Time.at(0))
>           assert_equal "'1970-01-01 00:00:00.000000'", @conn.quote(Time.at(0).to_datetime)
>         end
>+
>+        def test_quote_range
>+          range = "1,2]'; SELECT * FROM users; --".."a"
>+          c = PostgreSQLColumn.new(nil, nil, OID::Range.new(:integer), 'int8range')
>+          assert_equal "[1,2]''; SELECT * FROM users; --,a]::int8range", @conn.quote(range, c)
>+        end
>       end
>     end
>   end
>-- 
>2.0.0
>

Actions: View | Diff

Attachments on bug 1114427: 913248 | 913249 | 914349 | 914350