Avoid passing ActionController::Parameters outside of MailHandlerController (#36394).

Patch by Felix Schäfer.



git-svn-id: http://svn.redmine.org/redmine/trunk@21464 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 26 insertions, 1 deletions

diff --git a/app/controllers/mail_handler_controller.rb b/app/controllers/mail_handler_controller.rb
index 649714bcc..aabc3cbac 100644
--- a/app/controllers/mail_handler_controller.rb
+++ b/app/controllers/mail_handler_controller.rb
@@ -28,7 +28,32 @@ class MailHandlerController < ActionController::Base
 
   # Submits an incoming email to MailHandler
   def index
-    options = params.dup
+    # MailHandlerController#index should permit all options set by
+    # RedmineMailHandler#submit in rdm-mailhandler.rb.
+    # It must be kept in sync.
+    options = params.permit(
+      :key,
+      :email,
+      :allow_override,
+      :unknown_user,
+      :default_group,
+      :no_account_notice,
+      :no_notification,
+      :no_permission_check,
+      :project_from_subaddress,
+      {
+        issue: [
+          :project,
+          :status,
+          :tracker,
+          :category,
+          :priority,
+          :assigned_to,
+          :fixed_version,
+          :is_private
+        ]
+      }
+    ).to_h
     email = options.delete(:email)
     if MailHandler.safe_receive(email, options)
       head :created