github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-04-26 03:00:59 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix issue with attr_protected where malformed input could circumvent

Browse Source 
protection

Fixes: CVE-2013-0276

Conflicts:
	activemodel/lib/active_model/attribute_methods.rb
	activerecord/test/cases/mass_assignment_security_test.rb
This commit is contained in:
joernchen of Phenoelit
2013-02-09 15:46:44 -08:00
committed by Aaron Patterson
parent f93d046770
commit 2dfd51247f
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
activemodel/lib/active_model/attribute_methods.rb
View File

@@ -347,7 +347,7 @@ module ActiveModel
def initialize(options = {})
options.symbolize_keys!
@prefix, @suffix = options[:prefix] || '', options[:suffix] || ''
@regex = /^(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})$/
@regex = /\A(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})\z/
end
def match(method_name)

2
activemodel/lib/active_model/mass_assignment_security/permission_set.rb
View File

@@ -17,7 +17,7 @@ module ActiveModel
protected
def remove_multiparameter_id(key)
key.to_s.gsub(/\(.+/, '')
key.to_s.gsub(/\(.+/m, '')
end
end