Add fix for Fix for CVE-2013-0277. Bump PKGREVISION.diff -r1.8 -r1.9 pkgsrc/databases/ruby-activerecord3/Makefile
(taca)
| @@ -1,16 +1,17 @@ | @@ -1,16 +1,17 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.8 2012/06/14 14:50:06 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.9 2013/02/12 13:23:20 taca Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= activerecord-${RUBY_RAILS_VERSION} | 3 | DISTNAME= activerecord-${RUBY_RAILS_VERSION} | |
| 4 | PKGREVISION= 1 | |||
| 4 | CATEGORIES= databases | 5 | CATEGORIES= databases | |
| 5 | 6 | |||
| 6 | MAINTAINER= pkgsrc-users@NetBSD.org | 7 | MAINTAINER= pkgsrc-users@NetBSD.org | |
| 7 | HOMEPAGE= http://www.rubyonrails.org/ | 8 | HOMEPAGE= http://www.rubyonrails.org/ | |
| 8 | COMMENT= Object-relational mapper framework (part of Rails 3.0) | 9 | COMMENT= Object-relational mapper framework (part of Rails 3.0) | |
| 9 | LICENSE= mit | 10 | LICENSE= mit | |
| 10 | 11 | |||
| 11 | # Comment out dependency in gemspec but already depends indirectly one. | 12 | # Comment out dependency in gemspec but already depends indirectly one. | |
| 12 | #DEPENDS+= ${RUBY_ACTIVESUPPORT_DEPENDS} | 13 | #DEPENDS+= ${RUBY_ACTIVESUPPORT_DEPENDS} | |
| 13 | DEPENDS+= ${RUBY_ACTIVEMODEL_DEPENDS} | 14 | DEPENDS+= ${RUBY_ACTIVEMODEL_DEPENDS} | |
| 14 | DEPENDS+= ${RUBY_PKGPREFIX}-arel>=2.0.10<2.1:../../databases/ruby-arel20 | 15 | DEPENDS+= ${RUBY_PKGPREFIX}-arel>=2.0.10<2.1:../../databases/ruby-arel20 | |
| 15 | DEPENDS+= ${RUBY_PKGPREFIX}-tzinfo>=0.3.23<0.4:../../time/ruby-tzinfo | 16 | DEPENDS+= ${RUBY_PKGPREFIX}-tzinfo>=0.3.23<0.4:../../time/ruby-tzinfo | |
| 16 | 17 |
| @@ -1,5 +1,6 @@ | @@ -1,5 +1,6 @@ | |||
| 1 | $NetBSD: distinfo,v 1.18 2013/01/29 15:40:43 taca Exp $ | 1 | $NetBSD: distinfo,v 1.19 2013/02/12 13:23:20 taca Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (activerecord-3.0.20.gem) = d8fc6e02bf46f9b5f86c3a954932d67da211302b | 3 | SHA1 (activerecord-3.0.20.gem) = d8fc6e02bf46f9b5f86c3a954932d67da211302b | |
| 4 | RMD160 (activerecord-3.0.20.gem) = d0b2375d461414bb3d54122fd8e4812a4e4edac8 | 4 | RMD160 (activerecord-3.0.20.gem) = d0b2375d461414bb3d54122fd8e4812a4e4edac8 | |
| 5 | Size (activerecord-3.0.20.gem) = 344576 bytes | 5 | Size (activerecord-3.0.20.gem) = 344576 bytes | |
| 6 | SHA1 (patch-lib_active__record_attribute__methods_write.rb) = aea944d5d61de52643de6bdbd017d385cd7a7945 |
$NetBSD$
Fix for CVE-2013-0277.
--- lib/active_record/attribute_methods/write.rb.orig 2013-02-12 00:08:22.000000000 +0000
+++ lib/active_record/attribute_methods/write.rb
@@ -10,7 +10,14 @@ module ActiveRecord
module ClassMethods
protected
def define_method_attribute=(attr_name)
- if attr_name =~ /^[a-zA-Z_]\w*[!?=]?$/
+ if self.serialized_attributes[attr_name]
+ generated_attribute_methods.send(:define_method, "#{attr_name}=") do |new_value|
+ if new_value.is_a?(String) and new_value =~ /^---/
+ raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues."
+ end
+ write_attribute(attr_name, new_value)
+ end
+ elsif attr_name =~ /^[a-zA-Z_]\w*[!?=]?$/
generated_attribute_methods.module_eval("def #{attr_name}=(new_value); write_attribute('#{attr_name}', new_value); end", __FILE__, __LINE__)
else
generated_attribute_methods.send(:define_method, "#{attr_name}=") do |new_value|