Security: Update to Rails 2.3.14

2011-08-19 01:54:58 -05:00 · 2011-08-19 01:54:58 -05:00 · 4b2448b09a
commit 4b2448b09a
parent 3c650f2cf6
26 changed files with 106 additions and 33 deletions
--- a/vendor/rails/activerecord/Rakefile
+++ b/vendor/rails/activerecord/Rakefile
@ -192,7 +192,7 @@ spec = Gem::Specification.new do |s|
    s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
  end

-  s.add_dependency('activesupport', '= 2.3.12' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)

  s.files.delete FIXTURES_ROOT + "/fixture_database.sqlite"
  s.files.delete FIXTURES_ROOT + "/fixture_database_2.sqlite"
--- a/vendor/rails/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
+++ b/vendor/rails/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
@ -238,7 +238,7 @@ module ActiveRecord
      end

      def quote_column_name(name) #:nodoc:
-        @quoted_column_names[name] ||= "`#{name}`"
+        @quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
      end

      def quote_table_name(name) #:nodoc:
--- a/vendor/rails/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
+++ b/vendor/rails/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
@ -162,7 +162,7 @@ module ActiveRecord
      end

      def quote_column_name(name) #:nodoc:
-        %Q("#{name}")
+        %Q("#{name.to_s.gsub('"', '""')}")
      end


--- a/vendor/rails/activerecord/lib/active_record/validations.rb
+++ b/vendor/rails/activerecord/lib/active_record/validations.rb
@ -333,7 +333,6 @@ module ActiveRecord
    end

    def generate_message(attribute, message = :invalid, options = {})
-      ActiveSupport::Deprecation.warn("ActiveRecord::Errors#generate_message has been deprecated. Please use ActiveRecord::Error.new().to_s.")
      Error.new(@base, attribute, message, options).to_s
    end
  end
--- a/vendor/rails/activerecord/lib/active_record/version.rb
+++ b/vendor/rails/activerecord/lib/active_record/version.rb
@ -2,7 +2,7 @@ module ActiveRecord
  module VERSION #:nodoc:
    MAJOR = 2
    MINOR = 3
-    TINY  = 12
+    TINY  = 14

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
--- a/vendor/rails/activerecord/test/cases/base_test.rb
+++ b/vendor/rails/activerecord/test/cases/base_test.rb
@ -79,6 +79,23 @@ end
 class BasicsTest < ActiveRecord::TestCase
  fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts

+  def test_column_names_are_escaped
+    conn      = ActiveRecord::Base.connection
+    classname = conn.class.name[/[^:]*$/]
+    badchar   = {
+      'SQLite3Adapter'    => '"',
+      'MysqlAdapter'      => '`',
+      'Mysql2Adapter'     => '`',
+      'PostgreSQLAdapter' => '"',
+      'OracleAdapter'     => '"',
+    }.fetch(classname) {
+      raise "need a bad char for #{classname}"
+    }
+
+    quoted = conn.quote_column_name "foo#{badchar}bar"
+    assert_equal("#{badchar}foo#{badchar * 2}bar#{badchar}", quoted)
+  end
+
  def test_table_exists
    assert !NonExistentTable.table_exists?
    assert Topic.table_exists?