[rubygem-activerecord/f18] Fix for CVE-2013-0155.

[Vít Ondruch]

commit f73298834f9bb5c546960e684741550910ba626e
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Wed Jan 9 17:15:14 2013 +0100

    Fix for CVE-2013-0155.

 ...ord-3.2.11-CVE-2013-0155-null_array_param.patch |   33 ++++++++++++++++++++
 rubygem-activerecord.spec                          |   10 +++++-
 2 files changed, 42 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-activerecord-3.2.11-CVE-2013-0155-null_array_param.patch b/rubygem-activerecord-3.2.11-CVE-2013-0155-null_array_param.patch
new file mode 100644
index 0000000..909bfb4
--- /dev/null
+++ b/rubygem-activerecord-3.2.11-CVE-2013-0155-null_array_param.patch
@@ -0,0 +1,33 @@
+From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+---
+ .../lib/active_record/relation/predicate_builder.rb   |    7 ++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index 6b118b4..b31fdfd 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -6,7 +6,12 @@ module ActiveRecord
+ 
+         if allow_table_name && value.is_a?(Hash)
+           table = Arel::Table.new(column, engine)
+-          build_from_hash(engine, value, table, false)
++
++          if value.empty?
++            '1 = 2'
++          else
++            build_from_hash(engine, value, table, false)
++          end
+         else
+           column = column.to_s
+ 
+-- 
+1.7.10.2 (Apple Git-33)
+
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index e3711b7..99adc8e 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -6,7 +6,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 3.2.8
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -21,6 +21,10 @@ Source1: activerecord-%{version}-tests.tgz
 # https://bugzilla.redhat.com/show_bug.cgi?id=889649
 Patch0: rubygem-activerecord-3.2.10-CVE-2012-6496-dynamic_finder_injection.patch
 
+# CVE-2013-0155
+# https://bugzilla.redhat.com/show_bug.cgi?id=892866
+Patch1: rubygem-activerecord-3.2.11-CVE-2013-0155-null_array_param.patch
+
 Requires: ruby(abi) = %{rubyabi}
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = %{version}
@@ -63,6 +67,7 @@ gem install --local --install-dir .%{gem_dir} \
 
 pushd .%{gem_instdir}
 %patch0 -p2
+%patch1 -p2
 popd
 
 %build
@@ -109,6 +114,9 @@ popd
 
 
 %changelog
+* Wed Jan 09 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-3
+- Fix for CVE-2013-0155.
+
 * Fri Jan 04 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-2
 - Fix for CVE-2012-6496.