[rubygem-activerecord/f14] fix for BZ #731438
Mohammed Morsi
mmorsi at fedoraproject.org
Wed Aug 24 01:10:38 UTC 2011
commit f73567ab9233dad6491122c62ab9e7db5115cfa7
Author: Mo Morsi <mmorsi at redhat.com>
Date: Tue Aug 23 21:10:06 2011 -0400
fix for BZ #731438
activerecord-bz-731438-fix.patch | 60 ++++++++++++++++++++++++++++++++++++++
rubygem-activerecord.spec | 9 +++++-
2 files changed, 68 insertions(+), 1 deletions(-)
---
diff --git a/activerecord-bz-731438-fix.patch b/activerecord-bz-731438-fix.patch
new file mode 100644
index 0000000..49853bf
--- /dev/null
+++ b/activerecord-bz-731438-fix.patch
@@ -0,0 +1,60 @@
+commit 6aeeb605981c45654adf40c79aaf1327e5709982
+Author: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Tue Aug 2 16:46:36 2011 -0700
+
+ prevent sql injection attacks by escaping quotes in column names
+
+diff --git a/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb b/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
+index 6f41f84..c50022b 100644
+--- a/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
++++ b/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
+@@ -238,7 +238,7 @@ module ActiveRecord
+ end
+
+ def quote_column_name(name) #:nodoc:
+- @quoted_column_names[name] ||= "`#{name}`"
++ @quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
+ end
+
+ def quote_table_name(name) #:nodoc:
+diff --git a/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb b/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
+index 1616698..242f3f7 100644
+--- a/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
++++ b/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
+@@ -162,7 +162,7 @@ module ActiveRecord
+ end
+
+ def quote_column_name(name) #:nodoc:
+- %Q("#{name}")
++ %Q("#{name.to_s.gsub('"', '""')}")
+ end
+
+
+diff --git a/activerecord/test/cases/base_test.rb b/activerecord/test/cases/base_test.rb
+index e9af77c..242be2a 100755
+--- a/activerecord/test/cases/base_test.rb
++++ b/activerecord/test/cases/base_test.rb
+@@ -79,6 +79,23 @@ end
+ class BasicsTest < ActiveRecord::TestCase
+ fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts
+
++ def test_column_names_are_escaped
++ conn = ActiveRecord::Base.connection
++ classname = conn.class.name[/[^:]*$/]
++ badchar = {
++ 'SQLite3Adapter' => '"',
++ 'MysqlAdapter' => '`',
++ 'Mysql2Adapter' => '`',
++ 'PostgreSQLAdapter' => '"',
++ 'OracleAdapter' => '"',
++ }.fetch(classname) {
++ raise "need a bad char for #{classname}"
++ }
++
++ quoted = conn.quote_column_name "foo#{badchar}bar"
++ assert_equal("#{badchar}foo#{badchar * 2}bar#{badchar}", quoted)
++ end
++
+ def test_table_exists
+ assert !NonExistentTable.table_exists?
+ assert Topic.table_exists?
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index e493fb3..0ff64c4 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -10,7 +10,7 @@ Summary: Implements the ActiveRecord pattern for ORM
Name: rubygem-%{gemname}
Epoch: 1
Version: 2.3.8
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -22,6 +22,9 @@ Patch0: activerecord-2.3.8-sqlite3-compat.patch
# patch1 https://rails.lighthouseapp.com/projects/8994/tickets/3210-rails-postgres-issue
Patch1: activerecord-2.3.8-postgres-fix.patch
+# FIX for https://bugzilla.redhat.com/show_bug.cgi?id=731438
+Patch2: activerecord-bz-731438-fix.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: ruby(abi) = %{rubyabi}
Requires: rubygems
@@ -53,6 +56,7 @@ gem install --local --install-dir ./%{gemdir} \
pushd ./%{geminstdir}
%patch0 -p1
%patch1 -p1
+%patch2 -p2
popd
# Remove backup files
@@ -109,6 +113,9 @@ rake test_sqlite3 --trace
%{gemdir}/specifications/%{gemname}-%{version}.gemspec
%changelog
+* Tue Aug 23 2011 Mo Morsi <mmorsi at redhat.com> - 1:2.3.8-5
+- fix for bz 731438
+
* Wed Sep 08 2010 Mohammed Morsi <mmorsi at redhat.com> - 1:2.3.8-4
- Updated postgres fix to resolve security issue
More information about the scm-commits
mailing list