diff options
| author | Marius Balteanu <marius.balteanu@zitec.com> | 2022-03-18 18:42:55 +0000 |
|---|---|---|
| committer | Marius Balteanu <marius.balteanu@zitec.com> | 2022-03-18 18:42:55 +0000 |
| commit | ce622c428e2fc40c32e9ee09aafc44d739b389e3 (patch) | |
| tree | 99e9bad0d82038b53b7fe46ec7b53d993f59cd45 | |
| parent | d6c0759db4f3322d18f970e558920b20aed552af (diff) | |
| download | redmine-ce622c428e2fc40c32e9ee09aafc44d739b389e3.tar.gz redmine-ce622c428e2fc40c32e9ee09aafc44d739b389e3.zip | |
Avoid passing ActionController::Parameters outside of MailHandlerController (#36394).
Patch by Felix Schäfer.
git-svn-id: http://svn.redmine.org/redmine/trunk@21464 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/controllers/mail_handler_controller.rb | 27 | ||||
| -rw-r--r-- | extra/mail_handler/rdm-mailhandler.rb | 3 |
2 files changed, 29 insertions, 1 deletions
diff --git a/app/controllers/mail_handler_controller.rb b/app/controllers/mail_handler_controller.rb index 649714bcc..aabc3cbac 100644 --- a/app/controllers/mail_handler_controller.rb +++ b/app/controllers/mail_handler_controller.rb @@ -28,7 +28,32 @@ class MailHandlerController < ActionController::Base # Submits an incoming email to MailHandler def index - options = params.dup + # MailHandlerController#index should permit all options set by + # RedmineMailHandler#submit in rdm-mailhandler.rb. + # It must be kept in sync. + options = params.permit( + :key, + :email, + :allow_override, + :unknown_user, + :default_group, + :no_account_notice, + :no_notification, + :no_permission_check, + :project_from_subaddress, + { + issue: [ + :project, + :status, + :tracker, + :category, + :priority, + :assigned_to, + :fixed_version, + :is_private + ] + } + ).to_h email = options.delete(:email) if MailHandler.safe_receive(email, options) head :created diff --git a/extra/mail_handler/rdm-mailhandler.rb b/extra/mail_handler/rdm-mailhandler.rb index 2289ab5c1..c8394d99f 100644 --- a/extra/mail_handler/rdm-mailhandler.rb +++ b/extra/mail_handler/rdm-mailhandler.rb @@ -153,6 +153,9 @@ END_DESC headers = { 'User-Agent' => "Redmine mail handler/#{VERSION}" } + # MailHandlerController#index should permit all options set by + # RedmineMailHandler#submit in rdm-mailhandler.rb. + # It must be kept in sync. data = { 'key' => key, 'email' => email.gsub(/(?<!\r)\n|\r(?!\n)/, "\r\n"), 'allow_override' => allow_override, 'unknown_user' => unknown_user, |