rsierra/sql_injection_patch_for_rails_2_1_series.rb

## sql_injection_patch_for_rails_2_1_series.rb
# Adapted patch for CVE-2012-2695 Ruby on Rails SQL Injection for rails 2.1.x versinos
# http://seclists.org/oss-sec/2012/q2/att-504/2-3-sql-injection.patch
# 1- Drop it at your_app/config/initializers/
# 2- Remember to pass your tests/specs
# 3- Profit!
module ActiveRecord
  class Base

    class << self

      alias_method :sanitize_sql_hash_for_conditions_vulnerable, :sanitize_sql_hash_for_conditions

      def sanitize_sql_hash_for_conditions(attrs, top_level = true)
        attrs = expand_hash_conditions_for_aggregates(attrs)

        conditions = attrs.map do |attr, value|
          if not value.is_a?(Hash)
            attr = attr.to_s

            # Extract table name from qualified attribute names.
            if attr.include?('.') and top_level
              table_name, attr = attr.split('.', 2)
              table_name = connection.quote_table_name(table_name)
            else
              table_name = quoted_table_name
            end

            "#{table_name}.#{connection.quote_column_name(attr)} #{attribute_condition(value)}"
          elsif top_level
            sanitize_sql_hash_for_conditions(value, false)
          else
            raise ActiveRecord::StatementInvalid
          end
        end.join(' AND ')

        replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
      end
      alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions

    end
  end
end
	# Adapted patch for CVE-2012-2695 Ruby on Rails SQL Injection for rails 2.1.x versinos
	# http://seclists.org/oss-sec/2012/q2/att-504/2-3-sql-injection.patch
	# 1- Drop it at your_app/config/initializers/
	# 2- Remember to pass your tests/specs
	# 3- Profit!
	module ActiveRecord
	class Base

	class << self

	alias_method :sanitize_sql_hash_for_conditions_vulnerable, :sanitize_sql_hash_for_conditions

	def sanitize_sql_hash_for_conditions(attrs, top_level = true)
	attrs = expand_hash_conditions_for_aggregates(attrs)

	conditions = attrs.map do \|attr, value\|
	if not value.is_a?(Hash)
	attr = attr.to_s

	# Extract table name from qualified attribute names.
	if attr.include?('.') and top_level
	table_name, attr = attr.split('.', 2)
	table_name = connection.quote_table_name(table_name)
	else
	table_name = quoted_table_name
	end

	"#{table_name}.#{connection.quote_column_name(attr)} #{attribute_condition(value)}"
	elsif top_level
	sanitize_sql_hash_for_conditions(value, false)
	else
	raise ActiveRecord::StatementInvalid
	end
	end.join(' AND ')

	replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
	end
	alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions

	end
	end
	end