Correctly escape PostgreSQL arrays.

Thanks Godfrey Chan for reporting this! Fixes: CVE-2014-0080

Correctly escape PostgreSQL arrays.
Thanks Godfrey Chan for reporting this! Fixes: CVE-2014-0080
6256b1de · Aaron Patterson · Rafael Mendonça França · 08d0a11a · 6256b1de · 6256b1de
2 changed file
--- a/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql/cast.rb
@@ -142,12 +142,16 @@ def escape_hstore(value)
            end
          end

+          ARRAY_ESCAPE = "\\" * 2 * 2 # escape the backslash twice for PG arrays
+
          def quote_and_escape(value)
            case value
            when "NULL"
              value
            else
-              "\"#{value.gsub(/"/,"\\\"")}\""
+              value = value.gsub(/\\/, ARRAY_ESCAPE)
+              value.gsub!(/"/,"\\\"")
+              "\"#{value}\""
            end
          end


--- a/activerecord/test/cases/adapters/postgresql/datatype_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/datatype_test.rb
@@ -78,6 +78,14 @@ def teardown
     PostgresqlBitString, PostgresqlOid, PostgresqlTimestampWithZone, PostgresqlUUID].each(&:delete_all)
  end

+  def test_array_escaping
+    unknown = %(foo\\",bar,baz,\\)
+    nicknames = ["hello_#{unknown}"]
+    ar = PostgresqlArray.create!(nicknames: nicknames, id: 100)
+    ar.reload
+    assert_equal nicknames, ar.nicknames
+  end
+
  def test_data_type_of_array_types
    assert_equal :integer, @first_array.column_for_attribute(:commission_by_quarter).type
    assert_equal :text, @first_array.column_for_attribute(:nicknames).type