1.6 KiB
-
Fix quoting of column aliases generated by calculation methods.
Since the alias is derived from the table name, we can't assume the result is a valid identifier.
class Test < ActiveRecord::Base self.table_name = '1abc' end Test.group(:id).count # syntax error at or near "1" (ActiveRecord::StatementInvalid) # LINE 1: SELECT COUNT(*) AS count_all, "1abc"."id" AS 1abc_id FROM "1...
Jean Boussier
-
Add
authenticate_by
when usinghas_secure_password
.authenticate_by
is intended to replace code like the following, which returns early when a user with a matching email is not found:User.find_by(email: "...")&.authenticate("...")
Such code is vulnerable to timing-based enumeration attacks, wherein an attacker can determine if a user account with a given email exists. After confirming that an account exists, the attacker can try passwords associated with that email address from other leaked databases, in case the user re-used a password across multiple sites (a common practice). Additionally, knowing an account email address allows the attacker to attempt a targeted phishing ("spear phishing") attack.
authenticate_by
addresses the vulnerability by taking the same amount of time regardless of whether a user with a matching email is found:User.authenticate_by(email: "...", password: "...")
Jonathan Hefner
Please check 7-0-stable for previous changes.