From 0fdf0aa845eead13ee04022f2384b1fd108fc435 Mon Sep 17 00:00:00 2001 From: Ernie Miller Date: Tue, 8 Jan 2013 18:41:59 -0500 Subject: [PATCH] Fix for CVE-2013-0155 --- activerecord/lib/active_record/base.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb index 0179b00..cfc6e86 100755 --- a/activerecord/lib/active_record/base.rb +++ b/activerecord/lib/active_record/base.rb @@ -2340,6 +2340,8 @@ module ActiveRecord #:nodoc: def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true) attrs = expand_hash_conditions_for_aggregates(attrs) + return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty? + conditions = attrs.map do |attr, value| table_name = default_table_name -- 1.8.0.1