From 13b1b381de048e00f06fbab410d9d3ecc26460b9 Mon Sep 17 00:00:00 2001 From: Tobias Kraze Date: Fri, 8 Feb 2013 12:52:10 +0100 Subject: [PATCH] fix serialization vulnerability --- .../lib/active_record/attribute_methods/write.rb | 9 ++++++++- activerecord/test/cases/base_test.rb | 6 ++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/activerecord/lib/active_record/attribute_methods/write.rb b/activerecord/lib/active_record/attribute_methods/write.rb index 3c4dab3..4684c4b 100644 --- a/activerecord/lib/active_record/attribute_methods/write.rb +++ b/activerecord/lib/active_record/attribute_methods/write.rb @@ -10,7 +10,14 @@ module ActiveRecord module ClassMethods protected def define_method_attribute=(attr_name) - if attr_name =~ /^[a-zA-Z_]\w*[!?=]?$/ + if self.serialized_attributes[attr_name] + generated_attribute_methods.send(:define_method, "#{attr_name}=") do |new_value| + if new_value.is_a?(String) and new_value =~ /^---/ + raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues." + end + write_attribute(attr_name, new_value) + end + elsif attr_name =~ /^[a-zA-Z_]\w*[!?=]?$/ generated_attribute_methods.module_eval("def #{attr_name}=(new_value); write_attribute('#{attr_name}', new_value); end", __FILE__, __LINE__) else generated_attribute_methods.send(:define_method, "#{attr_name}=") do |new_value| diff --git a/activerecord/test/cases/base_test.rb b/activerecord/test/cases/base_test.rb index 0894c7d..eb39c10 100644 --- a/activerecord/test/cases/base_test.rb +++ b/activerecord/test/cases/base_test.rb @@ -1040,6 +1040,12 @@ class BasicsTest < ActiveRecord::TestCase assert_nil topic.content end + def test_should_raise_exception_on_assigning_already_serialized_content + topic = Topic.new + serialized_content = %w[foo bar].to_yaml + assert_raise(ActiveRecord::ActiveRecordError) { topic.content = serialized_content } + end + def test_should_raise_exception_on_serialized_attribute_with_type_mismatch myobj = MyObject.new('value1', 'value2') topic = Topic.new(:content => myobj) -- 1.7.9.5