From 7763f39a7f7e705bbd6b0a46f3dede48f3dae185 Mon Sep 17 00:00:00 2001
From: Ernie Miller <ernie@erniemiller.org>
Date: Tue, 8 Jan 2013 18:41:59 -0500
Subject: [PATCH] Fix for CVE-2013-0155

---
 activerecord/lib/active_record/base.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
index 0179b005e5..cfc6e86b91 100755
--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -2340,6 +2340,8 @@ def expand_hash_conditions_for_aggregates(attrs)
         def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
           attrs = expand_hash_conditions_for_aggregates(attrs)
 
+          return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
+
           conditions = attrs.map do |attr, value|
             table_name = default_table_name
 
-- 
GitLab