From 3542641ebd83a31f6b633b7af30ae6f37e563a1b Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Sun, 23 Dec 2012 11:07:07 -0800
Subject: [PATCH] CVE-2012-5664 options hashes should only be extracted if
 there are extra parameters

---
 activerecord/lib/active_record/base.rb |    6 +++++-
 activerecord/test/cases/finder_test.rb |   12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
index f89b949..a05623d 100644
--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -988,7 +988,11 @@ module ActiveRecord #:nodoc:
             attribute_names = match.attribute_names
             super unless all_attributes_exists?(attribute_names)
             if match.finder?
-              options = arguments.extract_options!
+              options = if arguments.length > attribute_names.size
+                          arguments.extract_options!
+                        else
+                          {}
+                        end
               relation = options.any? ? construct_finder_arel(options, current_scoped_methods) : scoped
               relation.send :find_by_attributes, match, attribute_names, *arguments
             elsif match.instantiator?
-- 
1.7.10.2 (Apple Git-33)