|
 |
cf260a |
From 7a01874b75fdd62ab3626490cdf1c65c0ba659d0 Mon Sep 17 00:00:00 2001
|
|
|
cf260a |
From: Aaron Patterson <aaron.patterson@gmail.com>
|
|
|
cf260a |
Date: Mon, 18 Jan 2016 13:51:02 -0800
|
|
|
cf260a |
Subject: [PATCH] Eliminate instance level writers for class accessors
|
|
|
cf260a |
|
|
|
cf260a |
Instance level writers can have an impact on how the Active Model /
|
|
|
cf260a |
Record objects are saved. Specifically, they can be used to bypass
|
|
|
cf260a |
validations. This is a problem if mass assignment protection is
|
|
|
cf260a |
disabled and specific attributes are passed to the constructor.
|
|
|
cf260a |
|
|
|
cf260a |
Conflicts:
|
|
|
cf260a |
activerecord/lib/active_record/scoping/default.rb
|
|
|
cf260a |
activesupport/lib/active_support/callbacks.rb
|
|
|
cf260a |
|
|
|
cf260a |
CVE-2016-0753
|
|
|
cf260a |
---
|
|
|
cf260a |
activemodel/lib/active_model/serializers/json.rb | 2 +-
|
|
|
cf260a |
activemodel/lib/active_model/validations.rb | 3 ++-
|
|
|
cf260a |
activerecord/lib/active_record/enum.rb | 2 +-
|
|
|
cf260a |
activerecord/lib/active_record/reflection.rb | 4 ++--
|
|
|
cf260a |
activesupport/lib/active_support/callbacks.rb | 2 +-
|
|
|
cf260a |
5 files changed, 7 insertions(+), 6 deletions(-)
|
|
|
cf260a |
|
|
|
cf260a |
diff --git a/activerecord/lib/active_record/enum.rb b/activerecord/lib/active_record/enum.rb
|
|
|
cf260a |
index fba7747..c99941e 100644
|
|
|
cf260a |
--- a/activerecord/lib/active_record/enum.rb
|
|
|
cf260a |
+++ b/activerecord/lib/active_record/enum.rb
|
|
|
cf260a |
@@ -68,7 +68,7 @@ module ActiveRecord
|
|
|
cf260a |
# Where conditions on an enum attribute must use the ordinal value of an enum.
|
|
|
cf260a |
module Enum
|
|
|
cf260a |
def self.extended(base)
|
|
|
cf260a |
- base.class_attribute(:defined_enums)
|
|
|
cf260a |
+ base.class_attribute(:defined_enums, instance_writer: false)
|
|
|
cf260a |
base.defined_enums = {}
|
|
|
cf260a |
end
|
|
|
cf260a |
|
|
|
cf260a |
diff --git a/activerecord/lib/active_record/reflection.rb b/activerecord/lib/active_record/reflection.rb
|
|
|
cf260a |
index 824e005..82b0123 100644
|
|
|
cf260a |
--- a/activerecord/lib/active_record/reflection.rb
|
|
|
cf260a |
+++ b/activerecord/lib/active_record/reflection.rb
|
|
|
cf260a |
@@ -4,8 +4,8 @@ module ActiveRecord
|
|
|
cf260a |
extend ActiveSupport::Concern
|
|
|
cf260a |
|
|
|
cf260a |
included do
|
|
|
cf260a |
- class_attribute :_reflections
|
|
|
cf260a |
- class_attribute :aggregate_reflections
|
|
|
cf260a |
+ class_attribute :_reflections, instance_writer: false
|
|
|
cf260a |
+ class_attribute :aggregate_reflections, instance_writer: false
|
|
|
cf260a |
self._reflections = {}
|
|
|
cf260a |
self.aggregate_reflections = {}
|
|
|
cf260a |
end
|
|
|
cf260a |
--
|
|
|
cf260a |
2.2.1
|
|
|
cf260a |
|