Prevent mass-assignment vulnerability when adding/updating a wiki (#922).

This commit is contained in:
Jean-Philippe Lang 2012-03-06 20:34:38 +00:00 committed by Holger Just
parent fc5dfd5813
commit 275163ead2
2 changed files with 4 additions and 1 deletions

View File

@ -19,7 +19,7 @@ class WikisController < ApplicationController
# Create or update a project's wiki
def edit
@wiki = @project.wiki || Wiki.new(:project => @project)
@wiki.attributes = params[:wiki]
@wiki.safe_attributes = params[:wiki]
@wiki.save if request.post?
render(:update) {|page| page.replace_html "tab-content-wiki", :partial => 'projects/settings/wiki'}
end

View File

@ -13,6 +13,7 @@
#++
class Wiki < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
has_many :pages, :class_name => 'WikiPage', :dependent => :destroy, :order => 'title'
has_many :redirects, :class_name => 'WikiRedirect', :dependent => :delete_all
@ -22,6 +23,8 @@ class Wiki < ActiveRecord::Base
validates_presence_of :start_page
validates_format_of :start_page, :with => /^[^,\.\/\?\;\|\:]*$/
safe_attributes 'start_page'
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_wiki_pages, project)
end