Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# Monkey patch for CVE-2012-2695 on Rails 2.3.14
# put this file in your config/initializers directory
# comments/corrections: https://gist.github.com/2921706
#
# minor modification for rails 2.2 by DCR
# Ruby on Rails SQL Injection
# based on a patch from @presidentbeef
# https://rubyonrails-security.googlegroups.com/attach/aee3413fb038bf56/2-3-sql-injection.patch?view=1&part=3
module ActiveRecord
class Base
class << self # Class methods
protected
def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
attrs = expand_hash_conditions_for_aggregates(attrs)
conditions = attrs.map do |attr, value|
table_name = default_table_name
if not value.is_a?(Hash)
attr = attr.to_s
# Extract table name from qualified attribute names.
if attr.include?('.') and top_level
attr_table_name, attr = attr.split('.', 2)
attr_table_name = connection.quote_table_name(attr_table_name)
else
attr_table_name = table_name
end
#attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
"#{table_name}.#{connection.quote_column_name(attr)} #{attribute_condition(value)}" #DCR
elsif top_level
sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
else
raise ActiveRecord::StatementInvalid
end
end.join(' AND ')
replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
end
alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
end
end
end
raise "please review for different rails version" if Rails.version != "2.2.3"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment