activerecord/test/cases/nested_attributes_test.rb · v4.2.7.rc1 · Rails relative code / rails-deleted-2

Nov 27, 2015

Don't short-circuit reject_if proc · 2cb46635

Andrew White authored Nov 27, 2015

When updating an associated record via nested attribute hashes the
reject_if proc could be bypassed if the _destroy flag was set in the
attribute hash and allow_destroy was set to false.

The fix is to only short-circuit if the _destroy flag is set and the
option allow_destroy is set to true. It also fixes an issue where
a new record wasn't created if _destroy was set and the option
allow_destroy was set to false.

CVE-2015-7577

2cb46635

Don't short-circuit reject_if proc

Andrew White authored Nov 27, 2015

When updating an associated record via nested attribute hashes the
reject_if proc could be bypassed if the _destroy flag was set in the
attribute hash and allow_destroy was set to false.

The fix is to only short-circuit if the _destroy flag is set and the
option allow_destroy is set to true. It also fixes an issue where
a new record wasn't created if _destroy was set and the option
allow_destroy was set to false.

CVE-2015-7577