[rubygem-activerecord/f20] Fix CVE-2014-0080: PostgreSQL array data injection vulnerability
Josef Stribny
jstribny at fedoraproject.org
Wed Feb 26 15:00:58 UTC 2014
commit d2628d2df2286fa3b8246f1b8dbee15d905270b4
Author: Josef Stribny <jstribny at redhat.com>
Date: Wed Feb 26 15:38:32 2014 +0100
Fix CVE-2014-0080: PostgreSQL array data injection vulnerability
...tiverecord-4.0.3-CVE-2014-0080-PostgreSQL.patch | 45 ++++++++++++++++++++
rubygem-activerecord.spec | 12 ++++-
2 files changed, 55 insertions(+), 2 deletions(-)
---
diff --git a/rubygem-activerecord-4.0.3-CVE-2014-0080-PostgreSQL.patch b/rubygem-activerecord-4.0.3-CVE-2014-0080-PostgreSQL.patch
new file mode 100644
index 0000000..66c3caf
--- /dev/null
+++ b/rubygem-activerecord-4.0.3-CVE-2014-0080-PostgreSQL.patch
@@ -0,0 +1,45 @@
+diff --git a/lib/active_record/connection_adapters/postgresql/cast.rb b/lib/active_record/connection_adapters/postgresql/cast.rb
+index a73f0ac..eac828b 100644
+--- a/lib/active_record/connection_adapters/postgresql/cast.rb
++++ b/lib/active_record/connection_adapters/postgresql/cast.rb
+@@ -138,12 +138,16 @@ module ActiveRecord
+ end
+ end
+
++ ARRAY_ESCAPE = "\\" * 2 * 2 # escape the backslash twice for PG arrays
++
+ def quote_and_escape(value)
+ case value
+ when "NULL"
+ value
+ else
+- "\"#{value.gsub(/"/,"\\\"")}\""
++ value = value.gsub(/\\/, ARRAY_ESCAPE)
++ value.gsub!(/"/,"\\\"")
++ "\"#{value}\""
+ end
+ end
+ end
+diff --git a/test/cases/adapters/postgresql/datatype_test.rb b/test/cases/adapters/postgresql/datatype_test.rb
+index ca1a613..51cb897 100644
+--- a/test/cases/adapters/postgresql/datatype_test.rb
++++ b/test/cases/adapters/postgresql/datatype_test.rb
+@@ -179,6 +179,14 @@ _SQL
+ PostgresqlBitString, PostgresqlOid, PostgresqlTimestampWithZone, PostgresqlUUID].each(&:delete_all)
+ end
+
++ def test_array_escaping
++ unknown = %(foo\\",bar,baz,\\)
++ nicknames = ["hello_#{unknown}"]
++ ar = PostgresqlArray.create!(nicknames: nicknames, id: 100)
++ ar.reload
++ assert_equal nicknames, ar.nicknames
++ end
++
+ def test_data_type_of_array_types
+ assert_equal :integer, @first_array.column_for_attribute(:commission_by_quarter).type
+ assert_equal :text, @first_array.column_for_attribute(:nicknames).type
+--
+1.8.4.1
+
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index cafe4d9..f6eb508 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -5,7 +5,7 @@ Summary: Implements the ActiveRecord pattern for ORM
Name: rubygem-%{gem_name}
Epoch: 1
Version: 4.0.0
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -15,6 +15,8 @@ Source0: http://rubygems.org/downloads/activerecord-%{version}.gem
# git checkout v4.0.0
# tar czvf activerecord-4.0.0-tests.tgz test/
Source1: activerecord-%{version}-tests.tgz
+# Fix for CVE-2014-0080: PostgreSQL array data injection vulnerability
+Patch0: rubygem-activerecord-4.0.3-CVE-2014-0080-PostgreSQL.patch
Requires: ruby(release)
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
@@ -57,6 +59,10 @@ Documentation for %{name}
%setup -q -c -T
%gem_install -n %{SOURCE0}
+pushd .%{gem_instdir}
+%patch0 -p1
+popd
+
%build
%install
@@ -65,7 +71,6 @@ cp -a .%{gem_dir}/* %{buildroot}%{gem_dir}
%check
pushd .%{gem_instdir}
-
tar xzvf %{SOURCE1}
# load_path is not available, remove its require.
@@ -101,6 +106,9 @@ popd
%changelog
+* Wed Feb 26 2014 Josef Stribny <jstribny at redhat.com> - 1:4.0.0-2
+- Fix CVE-2014-0080: PostgreSQL array data injection vulnerability
+
* Thu Aug 01 2013 Josef Stribny <jstribny at redhat.com> - 1:4.0.0-1
- Update to ActiveRecord 4.0.0.
More information about the scm-commits
mailing list