Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
5cfe8330
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
5cfe8330
编写于
2月 08, 2013
作者:
T
Tobias Kraze
提交者:
Aaron Patterson
2月 10, 2013
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
fix serialization vulnerability
上级
9a48f4cf
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
22 addition
and
1 deletion
+22
-1
activerecord/lib/active_record/attribute_methods.rb
activerecord/lib/active_record/attribute_methods.rb
+16
-1
activerecord/test/cases/base_test.rb
activerecord/test/cases/base_test.rb
+6
-0
未找到文件。
activerecord/lib/active_record/attribute_methods.rb
浏览文件 @
5cfe8330
...
...
@@ -80,7 +80,9 @@ def define_attribute_methods
end
unless
instance_method_already_implemented?
(
"
#{
name
}
="
)
if
create_time_zone_conversion_attribute?
(
name
,
column
)
if
self
.
serialized_attributes
[
name
]
define_write_method_for_serialized_attribute
(
name
)
elsif
create_time_zone_conversion_attribute?
(
name
,
column
)
define_write_method_for_time_zone_conversion
(
name
)
else
define_write_method
(
name
.
to_sym
)
...
...
@@ -184,6 +186,19 @@ def define_question_method(attr_name)
def
define_write_method
(
attr_name
)
evaluate_attribute_method
attr_name
,
"def
#{
attr_name
}
=(new_value);write_attribute('
#{
attr_name
}
', new_value);end"
,
"
#{
attr_name
}
="
end
# Defined for all serialized attributes. Disallows assigning already serialized YAML.
def
define_write_method_for_serialized_attribute
(
attr_name
)
method_body
=
<<-
EOV
def
#{
attr_name
}
=(value)
if value.is_a?(String) and value =~ /^---/
raise ActiveRecordError, "You tried to assign already serialized content to
#{
attr_name
}
. This is disabled due to security issues."
end
write_attribute(:
#{
attr_name
}
, value)
end
EOV
evaluate_attribute_method
attr_name
,
method_body
,
"
#{
attr_name
}
="
end
# Defined for all +datetime+ and +timestamp+ attributes when +time_zone_aware_attributes+ are enabled.
# This enhanced write method will automatically convert the time passed to it to the zone stored in Time.zone.
...
...
activerecord/test/cases/base_test.rb
浏览文件 @
5cfe8330
...
...
@@ -1499,6 +1499,12 @@ def test_nil_serialized_attribute_with_class_constraint
assert_nil
topic
.
content
end
def
test_should_raise_exception_on_assigning_already_serialized_content
topic
=
Topic
.
new
serialized_content
=
%w[foo bar]
.
to_yaml
assert_raise
(
ActiveRecord
::
ActiveRecordError
)
{
topic
.
content
=
serialized_content
}
end
def
test_should_raise_exception_on_serialized_attribute_with_type_mismatch
myobj
=
MyObject
.
new
(
'value1'
,
'value2'
)
topic
=
Topic
.
new
(
:content
=>
myobj
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录