Skip to content

O
OHR Support
Commit 902c624b authored by Jean-Philippe Lang's avatar Jean-Philippe Lang Committed by Holger Just
Browse files
Options

Prevent mass-assignment vulnerability when adding/updating a wiki (#922).

parent aee7d731
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 1 deletion
app/controllers/wikis_controller.rb
View file @ 902c624b
......@@ -19,7 +19,7 @@ class WikisController < ApplicationController
# Create or update a project's wiki
def edit
@wiki = @project.wiki || Wiki.new(:project => @project)
@wiki.attributes = params[:wiki]
@wiki.safe_attributes = params[:wiki]
@wiki.save if request.post?
render(:update) {|page| page.replace_html "tab-content-wiki", :partial => 'projects/settings/wiki'}
end
......
app/models/wiki.rb
View file @ 902c624b
......@@ -13,6 +13,7 @@
#++
class Wiki < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
has_many :pages, :class_name => 'WikiPage', :dependent => :destroy, :order => 'title'
has_many :redirects, :class_name => 'WikiRedirect', :dependent => :delete_all
......@@ -22,6 +23,8 @@ class Wiki < ActiveRecord::Base
validates_presence_of :start_page
validates_format_of :start_page, :with => /^[^,\.\/\?\;\|\:]*$/
safe_attributes 'start_page'
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_wiki_pages, project)
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment