Merge pull request #2759 from evazion/fix-dmail-filters

Don't filter dmails from moderators; fix dmail filter exploit.
2016-11-14 16:27:17 -08:00
parent 536ba3c7ee 47f663e002
commit 0b9c1e1156
4 changed files with 55 additions and 4 deletions
--- a/app/controllers/maintenance/user/dmail_filters_controller.rb
+++ b/app/controllers/maintenance/user/dmail_filters_controller.rb
@@ -3,6 +3,7 @@ module Maintenance
    class DmailFiltersController < ApplicationController
      before_filter :ensure_ownership
      before_filter :member_only
+      respond_to :html, :json, :xml

      def edit
        @dmail_filter = CurrentUser.dmail_filter || DmailFilter.new
@@ -10,9 +11,9 @@ module Maintenance

      def update
        @dmail_filter = CurrentUser.dmail_filter || DmailFilter.new
-        @dmail_filter.update_attributes(params[:dmail_filter])
+        @dmail_filter.update(params.require(:dmail_filter).permit(:words), :as => CurrentUser.role)
        flash[:notice] = "Filter updated"
-        redirect_to(dmail_path(@dmail.id))
+        respond_with(@dmail)
      end

    private
--- a/app/models/dmail_filter.rb
+++ b/app/models/dmail_filter.rb
@@ -1,6 +1,6 @@
 class DmailFilter < ActiveRecord::Base
  belongs_to :user
-  attr_accessible :user_id, :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
+  attr_accessible :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
  validates_presence_of :user
  before_validation :initialize_user

@@ -11,7 +11,7 @@ class DmailFilter < ActiveRecord::Base
  end

  def filtered?(dmail)
-    dmail.from.level <= User::Levels::MODERATOR && has_filter? && (dmail.body =~ regexp || dmail.title =~ regexp || dmail.from.name =~ regexp)
+    dmail.from.level < User::Levels::MODERATOR && has_filter? && (dmail.body =~ regexp || dmail.title =~ regexp || dmail.from.name =~ regexp)
  end

  def has_filter?
--- a/test/functional/maintenance/user/dmail_filters_controller_test.rb
+++ b/test/functional/maintenance/user/dmail_filters_controller_test.rb
@@ -0,0 +1,40 @@
+require "test_helper"
+
+module Maintenance
+  module User
+    class DmailFiltersControllerTest < ActionController::TestCase
+      context "The dmail filters controller" do
+        setup do
+          @user1 = FactoryGirl.create(:user)
+          @user2 = FactoryGirl.create(:user)
+          CurrentUser.user = @user1
+          CurrentUser.ip_addr = "127.0.0.1"
+        end
+
+        teardown do
+          CurrentUser.user = nil
+          CurrentUser.ip_addr = nil
+        end
+
+        context "update action" do
+          should "not allow a user to create a filter belonging to another user" do
+            @dmail = FactoryGirl.create(:dmail, :owner => @user1)
+
+            params = {
+              :dmail_id => @dmail.id,
+              :dmail_filter => {
+                :words => "owned",
+                :user_id => @user2.id
+              }
+            }
+
+            post :update, params, { :user_id => @user1.id }
+
+            assert_not_equal("owned", @user2.reload.dmail_filter.try(&:words))
+            assert_redirected_to(@dmail)
+          end
+        end
+      end
+    end
+  end
+end
--- a/test/unit/dmail_test.rb
+++ b/test/unit/dmail_test.rb
@@ -38,6 +38,16 @@ class DmailTest < ActiveSupport::TestCase
        assert_equal(false, @recipient.has_mail?)
      end

+      should "be ignored when sender is a moderator" do
+        CurrentUser.scoped(FactoryGirl.create(:moderator_user), "127.0.0.1") do
+          @dmail = FactoryGirl.create(:dmail, :owner => @recipient, :body => "banned word here", :to => @recipient)
+        end
+
+        assert_equal(false, !!@recipient.dmail_filter.filtered?(@dmail))
+        assert_equal(false, @dmail.is_read?)
+        assert_equal(true, @recipient.has_mail?)
+      end
+
      context "that is empty" do
        setup do
          @recipient.dmail_filter.update_attributes(:words => "   ")