Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save rsierra/2923498 to your computer and use it in GitHub Desktop.
Save rsierra/2923498 to your computer and use it in GitHub Desktop.
Patch for Ruby on Rails 2.1.x SQL Injection (CVE-2012-2695)
# Adapted patch for CVE-2012-2695 Ruby on Rails SQL Injection for rails 2.1.x versinos
# http://seclists.org/oss-sec/2012/q2/att-504/2-3-sql-injection.patch
# 1- Drop it at your_app/config/initializers/
# 2- Remember to pass your tests/specs
# 3- Profit!
module ActiveRecord
class Base
class << self
alias_method :sanitize_sql_hash_for_conditions_vulnerable, :sanitize_sql_hash_for_conditions
def sanitize_sql_hash_for_conditions(attrs, top_level = true)
attrs = expand_hash_conditions_for_aggregates(attrs)
conditions = attrs.map do |attr, value|
if not value.is_a?(Hash)
attr = attr.to_s
# Extract table name from qualified attribute names.
if attr.include?('.') and top_level
table_name, attr = attr.split('.', 2)
table_name = connection.quote_table_name(table_name)
else
table_name = quoted_table_name
end
"#{table_name}.#{connection.quote_column_name(attr)} #{attribute_condition(value)}"
elsif top_level
sanitize_sql_hash_for_conditions(value, false)
else
raise ActiveRecord::StatementInvalid
end
end.join(' AND ')
replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
end
alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
end
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment