Whitelist the methods which are called by multiparameter attribute assignment.

This prevents users from causing NoMethodErrors and the like by editing the parameter names, and closes a potential exploit of CVE-2009-1904.
2026-04-26 03:00:59 -04:00 · 2009-06-10 12:10:13 +12:00
parent b6fde6b480
commit c014c3e5c1
1 changed files with 8 additions and 8 deletions
--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -3043,11 +3043,11 @@ module ActiveRecord #:nodoc:
      def execute_callstack_for_multiparameter_attributes(callstack)
        errors = []
        callstack.each do |name, values|
-          klass = (self.class.reflect_on_aggregation(name.to_sym) || column_for_attribute(name)).klass
-          if values.empty?
-            send(name + "=", nil)
-          else
-            begin
+          begin
+            klass = (self.class.reflect_on_aggregation(name.to_sym) || column_for_attribute(name)).klass
+            if values.empty?
+              send(name + "=", nil)
+            else
              value = if Time == klass
                instantiate_time_object(name, values)
              elsif Date == klass
@@ -3061,9 +3061,9 @@ module ActiveRecord #:nodoc:
              end

              send(name + "=", value)
-            rescue => ex
-              errors << AttributeAssignmentError.new("error on assignment #{values.inspect} to #{name}", ex, name)
            end
+          rescue => ex
+            errors << AttributeAssignmentError.new("error on assignment #{values.inspect} to #{name}", ex, name)
          end
        end
        unless errors.empty?
@@ -3089,7 +3089,7 @@ module ActiveRecord #:nodoc:
      end

      def type_cast_attribute_value(multiparameter_name, value)
-        multiparameter_name =~ /\([0-9]*([a-z])\)/ ? value.send("to_" + $1) : value
+        multiparameter_name =~ /\([0-9]*([if])\)/ ? value.send("to_" + $1) : value
      end

      def find_parameter_position(multiparameter_name)