tagged version 1.4.7

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/tags/1.4.7@11238 e93f8b46-1217-0410-a6f0-8f06a7374b81

config/initializers/10-patches.rb

@@ -115,3 +115,45 @@ module ActionController
     end
   end
 end
+
+# Fix for CVE-2013-0155
+# https://groups.google.com/d/msg/rubyonrails-security/c7jT-EeN9eI/L0u4e87zYGMJ
+# https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
+# https://github.com/rails/rails/blob/v2.3.15/activerecord/lib/active_record/base.rb#L2340
+module ActiveRecord
+  class Base
+    class << self
+    protected
+      def self.sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
+        attrs = expand_hash_conditions_for_aggregates(attrs)
+
+        return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
+
+        conditions = attrs.map do |attr, value|
+          table_name = default_table_name
+
+          if not value.is_a?(Hash)
+            attr = attr.to_s
+
+            # Extract table name from qualified attribute names.
+            if attr.include?('.') and top_level
+              attr_table_name, attr = attr.split('.', 2)
+              attr_table_name = connection.quote_table_name(attr_table_name)
+            else
+              attr_table_name = table_name
+            end
+
+            attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
+          elsif top_level
+            sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
+          else
+            raise ActiveRecord::StatementInvalid
+          end
+        end.join(' AND ')
+
+        replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
+      end
+      alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
+    end
+  end
+end

doc/CHANGELOG

@@ -4,6 +4,10 @@ Redmine - project management software
 Copyright (C) 2006-2012  Jean-Philippe Lang
 http://www.redmine.org/
 
+== 2013-01-20 v1.4.7
+
+* Patch for Rails vulnerability CVE-2013-0155
+
 == 2013-01-09 v1.4.6
 
 * Upgrade to Rails 2.3.15

lib/redmine/version.rb

@@ -4,7 +4,7 @@ module Redmine
   module VERSION #:nodoc:
     MAJOR = 1
     MINOR = 4
-    TINY  = 6
+    TINY  = 7
 
     # Branch values:
     # * official release: nil