From 1f108174445bb0363c1bede9a12f6290168246fa Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Tue, 6 Mar 2012 20:23:00 +0000 Subject: [PATCH] Prevent mass-assignment vulnerability when adding/updating a time entry (#922). --- app/controllers/timelog_controller.rb | 8 ++++---- app/models/time_entry.rb | 3 +++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb index 509240be..30a8f70d 100644 --- a/app/controllers/timelog_controller.rb +++ b/app/controllers/timelog_controller.rb @@ -97,7 +97,7 @@ class TimelogController < ApplicationController def new @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today) - @time_entry.attributes = params[:time_entry] + @time_entry.safe_attributes = params[:time_entry] call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry }) render :action => 'edit' @@ -106,7 +106,7 @@ class TimelogController < ApplicationController verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed } def create @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today) - @time_entry.attributes = params[:time_entry] + @time_entry.safe_attributes = params[:time_entry] call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry }) @@ -127,14 +127,14 @@ class TimelogController < ApplicationController end def edit - @time_entry.attributes = params[:time_entry] + @time_entry.safe_attributes = params[:time_entry] call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry }) end verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed } def update - @time_entry.attributes = params[:time_entry] + @time_entry.safe_attributes = params[:time_entry] call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry }) diff --git a/app/models/time_entry.rb b/app/models/time_entry.rb index 2a23913a..901c0d4a 100644 --- a/app/models/time_entry.rb +++ b/app/models/time_entry.rb @@ -13,6 +13,7 @@ #++ class TimeEntry < ActiveRecord::Base + include Redmine::SafeAttributes # could have used polymorphic association # project association here allows easy loading of time entries at project level with one database trip belongs_to :project @@ -37,6 +38,8 @@ class TimeEntry < ActiveRecord::Base :conditions => Project.allowed_to_condition(args.first || User.current, :view_time_entries) }} + safe_attributes 'hours', 'comments', 'issue_id', 'activity_id', 'spent_on', 'custom_field_values' + def after_initialize if new_record? && self.activity.nil? if default_activity = TimeEntryActivity.default