>From 9de9b359d0d24f70f0f6c5c58a7ad8750684d456 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Sun, 23 Dec 2012 11:07:07 -0800 Subject: [PATCH] CVE-2012-5664 options hashes should only be extracted if there are extra parameters --- activerecord/lib/active_record/base.rb | 6 +++++- activerecord/test/cases/finder_test.rb | 12 ++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb index 461007f..809a38c 100755 --- a/activerecord/lib/active_record/base.rb +++ b/activerecord/lib/active_record/base.rb @@ -1897,7 +1897,11 @@ module ActiveRecord #:nodoc: # end self.class_eval <<-EOS, __FILE__, __LINE__ + 1 def self.#{method_id}(*args) - options = args.extract_options! + options = if args.length > #{attribute_names.size} + args.extract_options! + else + {} + end attributes = construct_attributes_from_arguments( [:#{attribute_names.join(',:')}], args diff --git a/activerecord/test/cases/finder_test.rb b/activerecord/test/cases/finder_test.rb index c779a69..9e3ab92 100644 --- a/activerecord/test/cases/finder_test.rb +++ b/activerecord/test/cases/finder_test.rb @@ -66,6 +66,18 @@ end class FinderTest < ActiveRecord::TestCase fixtures :companies, :topics, :entrants, :developers, :developers_projects, :posts, :comments, :accounts, :authors, :customers + def test_find_by_id_with_hash + assert_raises(ActiveRecord::StatementInvalid) do + Post.find_by_id(:limit => 1) + end + end + + def test_find_by_title_and_id_with_hash + assert_raises(ActiveRecord::StatementInvalid) do + Post.find_by_title_and_id('foo', :limit => 1) + end + end + def test_find assert_equal(topics(:first).title, Topic.find(1).title) end -- 1.7.10.2 (Apple Git-33)