From 7a01874b75fdd62ab3626490cdf1c65c0ba659d0 Mon Sep 17 00:00:00 2001

From: Aaron Patterson <aaron.patterson@gmail.com>

Date: Mon, 18 Jan 2016 13:51:02 -0800

Subject: [PATCH] Eliminate instance level writers for class accessors

Instance level writers can have an impact on how the Active Model /

Record objects are saved.  Specifically, they can be used to bypass

validations.  This is a problem if mass assignment protection is

disabled and specific attributes are passed to the constructor.

Conflicts:

	activerecord/lib/active_record/scoping/default.rb

	activesupport/lib/active_support/callbacks.rb

CVE-2016-0753

---

 activemodel/lib/active_model/serializers/json.rb | 2 +-

 activemodel/lib/active_model/validations.rb      | 3 ++-

 activerecord/lib/active_record/enum.rb           | 2 +-

 activerecord/lib/active_record/reflection.rb     | 4 ++--

 activesupport/lib/active_support/callbacks.rb    | 2 +-

 5 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/activesupport/lib/active_support/callbacks.rb b/activesupport/lib/active_support/callbacks.rb

index 3265d11..3ba690b 100644

--- a/activesupport/lib/active_support/callbacks.rb

+++ b/activesupport/lib/active_support/callbacks.rb

@@ -726,7 +768,7 @@ module ActiveSupport

         end

         names.each do |name|

-          class_attribute "_#{name}_callbacks"

+          class_attribute "_#{name}_callbacks", instance_writer: false

           set_callbacks name, CallbackChain.new(name, options)

         end

       end

-- 

2.2.1