|
 |
607312 |
From 7a01874b75fdd62ab3626490cdf1c65c0ba659d0 Mon Sep 17 00:00:00 2001
|
|
|
607312 |
From: Aaron Patterson <aaron.patterson@gmail.com>
|
|
|
607312 |
Date: Mon, 18 Jan 2016 13:51:02 -0800
|
|
|
607312 |
Subject: [PATCH] Eliminate instance level writers for class accessors
|
|
|
607312 |
|
|
|
607312 |
Instance level writers can have an impact on how the Active Model /
|
|
|
607312 |
Record objects are saved. Specifically, they can be used to bypass
|
|
|
607312 |
validations. This is a problem if mass assignment protection is
|
|
|
607312 |
disabled and specific attributes are passed to the constructor.
|
|
|
607312 |
|
|
|
607312 |
Conflicts:
|
|
|
607312 |
activerecord/lib/active_record/scoping/default.rb
|
|
|
607312 |
activesupport/lib/active_support/callbacks.rb
|
|
|
607312 |
|
|
|
607312 |
CVE-2016-0753
|
|
|
607312 |
---
|
|
|
607312 |
activemodel/lib/active_model/serializers/json.rb | 2 +-
|
|
|
607312 |
activemodel/lib/active_model/validations.rb | 3 ++-
|
|
|
607312 |
activerecord/lib/active_record/enum.rb | 2 +-
|
|
|
607312 |
activerecord/lib/active_record/reflection.rb | 4 ++--
|
|
|
607312 |
activesupport/lib/active_support/callbacks.rb | 2 +-
|
|
|
607312 |
5 files changed, 7 insertions(+), 6 deletions(-)
|
|
|
607312 |
|
|
|
607312 |
diff --git a/activemodel/lib/active_model/serializers/json.rb b/activemodel/lib/active_model/serializers/json.rb
|
|
|
607312 |
index c58e73f..fd405ff 100644
|
|
|
607312 |
--- a/activemodel/lib/active_model/serializers/json.rb
|
|
|
607312 |
+++ b/activemodel/lib/active_model/serializers/json.rb
|
|
|
607312 |
@@ -10,7 +10,7 @@ module ActiveModel
|
|
|
607312 |
included do
|
|
|
607312 |
extend ActiveModel::Naming
|
|
|
607312 |
|
|
|
607312 |
- class_attribute :include_root_in_json
|
|
|
607312 |
+ class_attribute :include_root_in_json, instance_writer: false
|
|
|
607312 |
self.include_root_in_json = false
|
|
|
607312 |
end
|
|
|
607312 |
|
|
|
607312 |
diff --git a/activemodel/lib/active_model/validations.rb b/activemodel/lib/active_model/validations.rb
|
|
|
607312 |
index e9674d5..7451da0 100644
|
|
|
607312 |
--- a/activemodel/lib/active_model/validations.rb
|
|
|
607312 |
+++ b/activemodel/lib/active_model/validations.rb
|
|
|
607312 |
@@ -46,9 +46,10 @@ module ActiveModel
|
|
|
607312 |
include HelperMethods
|
|
|
607312 |
|
|
|
607312 |
attr_accessor :validation_context
|
|
|
607312 |
+ private :validation_context=
|
|
|
607312 |
define_callbacks :validate, scope: :name
|
|
|
607312 |
|
|
|
607312 |
- class_attribute :_validators
|
|
|
607312 |
+ class_attribute :_validators, instance_writer: false
|
|
|
607312 |
self._validators = Hash.new { |h,k| h[k] = [] }
|
|
|
607312 |
end
|
|
|
607312 |
|
|
|
607312 |
--
|
|
|
607312 |
2.2.1
|
|
|
607312 |
|