[rubygem-activerecord/f14] fix for BZ #731438

Mohammed Morsi mmorsi at fedoraproject.org
Wed Aug 24 01:10:38 UTC 2011 

commit f73567ab9233dad6491122c62ab9e7db5115cfa7
Author: Mo Morsi <mmorsi at redhat.com>
Date:   Tue Aug 23 21:10:06 2011 -0400

    fix for BZ #731438

 activerecord-bz-731438-fix.patch |   60 ++++++++++++++++++++++++++++++++++++++
 rubygem-activerecord.spec        |    9 +++++-
 2 files changed, 68 insertions(+), 1 deletions(-)
---
diff --git a/activerecord-bz-731438-fix.patch b/activerecord-bz-731438-fix.patch
new file mode 100644
index 0000000..49853bf
--- /dev/null
+++ b/activerecord-bz-731438-fix.patch
@@ -0,0 +1,60 @@
+commit 6aeeb605981c45654adf40c79aaf1327e5709982
+Author: Aaron Patterson <aaron.patterson at gmail.com>
+Date:   Tue Aug 2 16:46:36 2011 -0700
+
+    prevent sql injection attacks by escaping quotes in column names
+
+diff --git a/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb b/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
+index 6f41f84..c50022b 100644
+--- a/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
++++ b/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
+@@ -238,7 +238,7 @@ module ActiveRecord
+       end
+ 
+       def quote_column_name(name) #:nodoc:
+-        @quoted_column_names[name] ||= "`#{name}`"
++        @quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
+       end
+ 
+       def quote_table_name(name) #:nodoc:
+diff --git a/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb b/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
+index 1616698..242f3f7 100644
+--- a/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
++++ b/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
+@@ -162,7 +162,7 @@ module ActiveRecord
+       end
+ 
+       def quote_column_name(name) #:nodoc:
+-        %Q("#{name}")
++        %Q("#{name.to_s.gsub('"', '""')}")
+       end
+ 
+ 
+diff --git a/activerecord/test/cases/base_test.rb b/activerecord/test/cases/base_test.rb
+index e9af77c..242be2a 100755
+--- a/activerecord/test/cases/base_test.rb
++++ b/activerecord/test/cases/base_test.rb
+@@ -79,6 +79,23 @@ end
+ class BasicsTest < ActiveRecord::TestCase
+   fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts
+ 
++  def test_column_names_are_escaped
++    conn      = ActiveRecord::Base.connection
++    classname = conn.class.name[/[^:]*$/]
++    badchar   = {
++      'SQLite3Adapter'    => '"',
++      'MysqlAdapter'      => '`',
++      'Mysql2Adapter'     => '`',
++      'PostgreSQLAdapter' => '"',
++      'OracleAdapter'     => '"',
++    }.fetch(classname) {
++      raise "need a bad char for #{classname}"
++    }
++
++    quoted = conn.quote_column_name "foo#{badchar}bar"
++    assert_equal("#{badchar}foo#{badchar * 2}bar#{badchar}", quoted)
++  end
++
+   def test_table_exists
+     assert !NonExistentTable.table_exists?
+     assert Topic.table_exists?
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index e493fb3..0ff64c4 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -10,7 +10,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 2.3.8
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -22,6 +22,9 @@ Patch0:  activerecord-2.3.8-sqlite3-compat.patch
 # patch1 https://rails.lighthouseapp.com/projects/8994/tickets/3210-rails-postgres-issue
 Patch1:  activerecord-2.3.8-postgres-fix.patch
 
+# FIX for https://bugzilla.redhat.com/show_bug.cgi?id=731438
+Patch2: activerecord-bz-731438-fix.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: ruby(abi) = %{rubyabi}
 Requires: rubygems
@@ -53,6 +56,7 @@ gem install --local --install-dir ./%{gemdir} \
 pushd ./%{geminstdir}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p2
 popd
 
 # Remove backup files
@@ -109,6 +113,9 @@ rake test_sqlite3 --trace
 %{gemdir}/specifications/%{gemname}-%{version}.gemspec
 
 %changelog
+* Tue Aug 23 2011 Mo Morsi <mmorsi at redhat.com> - 1:2.3.8-5
+- fix for bz 731438
+
 * Wed Sep 08 2010 Mohammed Morsi <mmorsi at redhat.com> - 1:2.3.8-4
 - Updated postgres fix to resolve security issue

More information about the scm-commits mailing list