jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix vuln allowing users to move notes between posts.

Browse Source 
Prevents this from working:

    PUT /notes/1.json?note[post_id]=23
    PUT /notes/1.json?note[post_id]=42
This commit is contained in:
evazion
2016-10-19 22:39:57 -05:00
parent d2f3027294
commit 8df1496d28
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
app/controllers/notes_controller.rb
View File

@@ -20,7 +20,7 @@ class NotesController < ApplicationController
end
def create
@note = Note.create(params[:note])
@note = Note.create(create_params)
respond_with(@note) do |fmt|
fmt.json do
if @note.errors.any?
@@ -34,7 +34,7 @@ class NotesController < ApplicationController
def update
@note = Note.find(params[:id])
@note.update_attributes(params[:note])
@note.update_attributes(update_params)
respond_with(@note) do |format|
format.json do
if @note.errors.any?
@@ -60,6 +60,14 @@ class NotesController < ApplicationController
end
private
def update_params
params.require(:note).permit(:x, :y, :width, :height, :body)
end
def create_params
params.require(:note).permit(:x, :y, :width, :height, :body, :post_id)
end
def pass_html_id
if params[:note] && params[:note][:html_id]
response.headers["X-Html-Id"] = params[:note][:html_id]