Merge tag 'tags/v2.7.2'

9eb7030f · Francisco Juan · a475d02d · 8d56d327 · 9eb7030f · 9eb7030f
Commit 9eb7030f authored 12 years ago by Francisco Juan
--- a/config/initializers/10-patches.rb
+++ b/config/initializers/10-patches.rb
@@ -115,4 +115,32 @@ module ActionController
      end
    end
  end
+
+  # Backported fix for CVE-2012-2660
+  # https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
+  # TODO: Remove this once we are on Rails >= 3.2.4
+  require 'action_controller/request'
+  class Request
+    protected
+
+    # Remove nils from the params hash
+    def deep_munge(hash)
+      hash.each_value do |v|
+        case v
+        when Array
+          v.grep(Hash) { |x| deep_munge(x) }
+        when Hash
+          deep_munge(v)
+        end
+      end
+
+      keys = hash.keys.find_all { |k| hash[k] == [nil] }
+      keys.each { |k| hash[k] = nil }
+      hash
+    end
+
+    def parse_query(qs)
+      deep_munge(super)
+    end
+  end
 end
--- a/doc/CHANGELOG.rdoc
+++ b/doc/CHANGELOG.rdoc
 = ChiliProject changelog

+== 2012-06-09 v2.7.2
+
+* Bug #1025: Rails: Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)
+
 == 2012-04-04 v2.7.1

 * Bug #922: Mass assignment

--- a/lib/chili_project/version.rb
+++ b/lib/chili_project/version.rb
@@ -19,7 +19,7 @@ module ChiliProject

    MAJOR = 2
    MINOR = 7
-    PATCH = 1
+    PATCH = 2
    TINY  = PATCH # Redmine compat

    # Used by semver to define the special version (if any).