predicate builder should not recurse for determining where columns.

Thanks to Ben Murphy for reporting this CVE-2012-2661

predicate builder should not recurse for determining where columns.
Thanks to Ben Murphy for reporting this CVE-2012-2661
9340f898 · Aaron Patterson · 344ea048 · 9340f898 · 9340f898 · 9340f898
3 changed file
--- a/activerecord/lib/active_record/associations/association_scope.rb
+++ b/activerecord/lib/active_record/associations/association_scope.rb
@@ -96,7 +96,7 @@ def add_constraints(scope)

            conditions.each do |condition|
              if options[:through] && condition.is_a?(Hash)
-                condition = { table.name => condition }
+                condition = disambiguate_condition(table, condition)
              end

              scope = scope.where(interpolate(condition))
@@ -113,7 +113,7 @@ def add_constraints(scope)

            conditions.each do |condition|
              condition = interpolate(condition)
-              condition = { (table.table_alias || table.name) => condition } unless i == 0
+              condition = disambiguate_condition(table, condition) unless i == 0

              scope = scope.where(condition)
            end
@@ -138,6 +138,21 @@ def table_name_for(reflection)
        end
      end

+      def disambiguate_condition(table, condition)
+        if condition.is_a?(Hash)
+          Hash[
+            condition.map do |k, v|
+              if v.is_a?(Hash)
+                [k, v]
+              else
+                [table.table_alias || table.name, { k => v }]
+              end
+            end
+          ]
+        else
+          condition
+        end
+      end
    end
  end
 end
--- a/activerecord/lib/active_record/relation/predicate_builder.rb
+++ b/activerecord/lib/active_record/relation/predicate_builder.rb
@@ -6,7 +6,7 @@ def self.build_from_hash(engine, attributes, default_table)

        if value.is_a?(Hash)
          table = Arel::Table.new(column, engine)
-          build_from_hash(engine, value, table)
+          value.map { |k,v| build(table[k.to_sym], v) }
        else
          column = column.to_s


--- a/activerecord/test/cases/relation/where_test.rb
+++ b/activerecord/test/cases/relation/where_test.rb
+require "cases/helper"
+require 'models/post'
+
+module ActiveRecord
+  class WhereTest < ActiveRecord::TestCase
+    fixtures :posts
+
+    def test_where_error
+      assert_raises(ActiveRecord::StatementInvalid) do
+        Post.where(:id => { 'posts.author_id' => 10 }).first
+      end
+    end
+
+    def test_where_with_table_name
+      post = Post.first
+      assert_equal post, Post.where(:posts => { 'id' => post.id }).first
+    end
+  end
+end