diff options
| author | taca <taca@pkgsrc.org> | 2013-02-12 13:23:20 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2013-02-12 13:23:20 +0000 |
| commit | 50076bee7840957cce04440cd586b4028d758d73 (patch) | |
| tree | c8b6f43bec17017d454a9bb8823592709db0dd12 /databases | |
| parent | 4b0d4f31a6e2e4ee8c8f95e152ef14700931f44a (diff) | |
| download | pkgsrc-50076bee7840957cce04440cd586b4028d758d73.tar.gz | |
Add fix for Fix for CVE-2013-0277.
Bump PKGREVISION.
Diffstat (limited to 'databases')
| -rw-r--r-- | databases/ruby-activerecord3/patches/patch-lib_active__record_attribute__methods_write.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/databases/ruby-activerecord3/patches/patch-lib_active__record_attribute__methods_write.rb b/databases/ruby-activerecord3/patches/patch-lib_active__record_attribute__methods_write.rb new file mode 100644 index 00000000000..47fd718d8a8 --- /dev/null +++ b/databases/ruby-activerecord3/patches/patch-lib_active__record_attribute__methods_write.rb @@ -0,0 +1,22 @@ +$NetBSD$ + +Fix for CVE-2013-0277. + +--- lib/active_record/attribute_methods/write.rb.orig 2013-02-12 00:08:22.000000000 +0000 ++++ lib/active_record/attribute_methods/write.rb +@@ -10,7 +10,14 @@ module ActiveRecord + module ClassMethods + protected + def define_method_attribute=(attr_name) +- if attr_name =~ /^[a-zA-Z_]\w*[!?=]?$/ ++ if self.serialized_attributes[attr_name] ++ generated_attribute_methods.send(:define_method, "#{attr_name}=") do |new_value| ++ if new_value.is_a?(String) and new_value =~ /^---/ ++ raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues." ++ end ++ write_attribute(attr_name, new_value) ++ end ++ elsif attr_name =~ /^[a-zA-Z_]\w*[!?=]?$/ + generated_attribute_methods.module_eval("def #{attr_name}=(new_value); write_attribute('#{attr_name}', new_value); end", __FILE__, __LINE__) + else + generated_attribute_methods.send(:define_method, "#{attr_name}=") do |new_value| |