Fix mass assignment vuln in comment update action (#2704).

Prevents mass assignment of `post_id`, `do_not_bump_post`, and
`is_deleted`.

app/controllers/comments_controller.rb

@@ -23,7 +23,7 @@ class CommentsController < ApplicationController
   def update
     @comment = Comment.find(params[:id])
     check_privilege(@comment)
-    @comment.update_attributes(params[:comment])
+    @comment.update_attributes(params[:comment].permit(:body))
     respond_with(@comment, :location => post_path(@comment.post_id))
   end
 

test/functional/comments_controller_test.rb

@@ -33,6 +33,28 @@ class CommentsControllerTest < ActionController::TestCase
         post :update, {:id => @comment.id, :comment => {:body => "abc"}}, {:user_id => @comment.creator_id}
         assert_redirected_to post_path(@comment.post)
       end
+
+      should "only allow changing the body" do
+        params = {
+          id: @comment.id,
+          comment: {
+            body: "herp derp",
+            do_not_bump_post: true,
+            is_deleted: true,
+            post_id: FactoryGirl.create(:post).id,
+          }
+        }
+
+        post :update, params, { :user_id => @comment.creator_id }
+        @comment.reload
+
+        assert_equal("herp derp", @comment.body)
+        assert_equal(false, @comment.do_not_bump_post)
+        assert_equal(false, @comment.is_deleted)
+        assert_equal(@post.id, @comment.post_id)
+
+        assert_redirected_to post_path(@post)
+      end
     end
 
     context "create action"do