From bdf6e90f055ae09b7129e73ec062e3e020f01467 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Tue, 6 Mar 2012 18:48:47 +0000
Subject: Prevent mass-assignment when adding a news comment (#10390).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9129 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/comments_controller.rb | 3 ++-
 app/models/comment.rb                  | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 3a27b973a..ca9aa1a86 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -25,7 +25,8 @@ class CommentsController < ApplicationController
   def create
     raise Unauthorized unless @news.commentable?
 
-    @comment = Comment.new(params[:comment])
+    @comment = Comment.new
+    @comment.safe_attributes = params[:comment]
     @comment.author = User.current
     if @news.comments << @comment
       flash[:notice] = l(:label_comment_added)
diff --git a/app/models/comment.rb b/app/models/comment.rb
index 701f0344e..4b7e098f1 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -16,8 +16,11 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class Comment < ActiveRecord::Base
+  include Redmine::SafeAttributes
   belongs_to :commented, :polymorphic => true, :counter_cache => true
   belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
 
   validates_presence_of :commented, :author, :comments
+
+  safe_attributes 'comments'
 end
-- 
cgit v1.2.3