Avoid passing ActionController::Parameters outside of MailHandlerController (#36394).

Patch by Felix Schäfer.



git-svn-id: http://svn.redmine.org/redmine/trunk@21464 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/mail_handler_controller.rb

@@ -28,7 +28,32 @@ class MailHandlerController < ActionController::Base
 
   # Submits an incoming email to MailHandler
   def index
-    options = params.dup
+    # MailHandlerController#index should permit all options set by
+    # RedmineMailHandler#submit in rdm-mailhandler.rb.
+    # It must be kept in sync.
+    options = params.permit(
+      :key,
+      :email,
+      :allow_override,
+      :unknown_user,
+      :default_group,
+      :no_account_notice,
+      :no_notification,
+      :no_permission_check,
+      :project_from_subaddress,
+      {
+        issue: [
+          :project,
+          :status,
+          :tracker,
+          :category,
+          :priority,
+          :assigned_to,
+          :fixed_version,
+          :is_private
+        ]
+      }
+    ).to_h
     email = options.delete(:email)
     if MailHandler.safe_receive(email, options)
       head :created

extra/mail_handler/rdm-mailhandler.rb

@@ -153,6 +153,9 @@ END_DESC
 
     headers = { 'User-Agent' => "Redmine mail handler/#{VERSION}" }
 
+    # MailHandlerController#index should permit all options set by
+    # RedmineMailHandler#submit in rdm-mailhandler.rb.
+    # It must be kept in sync.
     data = { 'key' => key, 'email' => email.gsub(/(?<!\r)\n|\r(?!\n)/, "\r\n"),
                            'allow_override' => allow_override,
                            'unknown_user' => unknown_user,