Fix exploit allowing dmail filters to be set on other users.

Exploit: curl \ -u $USERNAME:$API_KEY \ -X PUT "http://danbooru.donmai.us/maintenance/user/dmail_filter.json?dmail_id=1" \ -d "dmail_filter[words]=owned&dmail_filter[user_id]=2" ...where dmail_id is any dmail you own (doesn't matter which) and user_id is the victim.
2016-11-11 23:57:55 -06:00
parent 2dadad395b
commit a16b91e2bf
2 changed files with 2 additions and 2 deletions
--- a/app/controllers/maintenance/user/dmail_filters_controller.rb
+++ b/app/controllers/maintenance/user/dmail_filters_controller.rb
@@ -10,7 +10,7 @@ module Maintenance

      def update
        @dmail_filter = CurrentUser.dmail_filter || DmailFilter.new
-        @dmail_filter.update_attributes(params[:dmail_filter])
+        @dmail_filter.update(params.require(:dmail_filter).permit(:words), :as => CurrentUser.role)
        flash[:notice] = "Filter updated"
        redirect_to(dmail_path(@dmail.id))
      end
--- a/app/models/dmail_filter.rb
+++ b/app/models/dmail_filter.rb
@@ -1,6 +1,6 @@
 class DmailFilter < ActiveRecord::Base
  belongs_to :user
-  attr_accessible :user_id, :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
+  attr_accessible :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
  validates_presence_of :user
  before_validation :initialize_user