Prevent mass-assignment vulnerability when adding/updating a forum message (#922).

2012-03-06 19:46:59 +00:00 · 2012-03-06 19:46:59 +00:00 · c3ca5813d5
commit c3ca5813d5
parent 384890c5ad
2 changed files with 20 additions and 16 deletions
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@ -48,26 +48,26 @@ class MessagesController < ApplicationController

  # Create a new topic
  def new
-    @message = Message.new(params[:message])
+    @message = Message.new
    @message.author = User.current
    @message.board = @board
-    if params[:message] && User.current.allowed_to?(:edit_messages, @project)
-      @message.locked = params[:message]['locked']
-      @message.sticky = params[:message]['sticky']
-    end
-    if request.post? && @message.save
-      call_hook(:controller_messages_new_after_save, { :params => params, :message => @message})
-      attachments = Attachment.attach_files(@message, params[:attachments])
-      render_attachment_warning_if_needed(@message)
-      redirect_to :action => 'show', :id => @message
+    @message.safe_attributes = params[:message]
+    if request.post?
+      if @message.save
+        call_hook(:controller_messages_new_after_save, { :params => params, :message => @message})
+        attachments = Attachment.attach_files(@message, params[:attachments])
+        render_attachment_warning_if_needed(@message)
+        redirect_to :action => 'show', :id => @message
+      end
    end
  end

  # Reply to a topic
  def reply
-    @reply = Message.new(params[:reply])
+    @reply = Message.new
    @reply.author = User.current
    @reply.board = @board
+    @reply.safe_attributes = params[:reply]
    @topic.children << @reply
    if !@reply.new_record?
      call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
@ -80,11 +80,8 @@ class MessagesController < ApplicationController
  # Edit a message
  def edit
    (render_403; return false) unless @message.editable_by?(User.current)
-    if params[:message]
-      @message.locked = params[:message]['locked']
-      @message.sticky = params[:message]['sticky']
-    end
-    if request.post? && @message.update_attributes(params[:message])
+    @message.safe_attributes = params[:message]
+    if request.post? && @message.save
      attachments = Attachment.attach_files(@message, params[:attachments])
      render_attachment_warning_if_needed(@message)
      flash[:notice] = l(:notice_successful_update)
--- a/app/models/message.rb
+++ b/app/models/message.rb
@ -13,6 +13,7 @@
 #++

 class Message < ActiveRecord::Base
+  include Redmine::SafeAttributes
  belongs_to :board
  belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
  acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
@ -49,6 +50,12 @@ class Message < ActiveRecord::Base
  named_scope :visible, lambda {|*args| { :include => {:board => :project},
                                          :conditions => Project.allowed_to_condition(args.first || User.current, :view_messages) } }

+  safe_attributes 'subject', 'content'
+  safe_attributes 'locked', 'sticky',
+    :if => lambda {|message, user|
+      user.allowed_to?(:edit_messages, message.project)
+    }
+
  def visible?(user=User.current)
    !user.nil? && user.allowed_to?(:view_messages, project)
  end