From a16b91e2bf60054175ae65390d563be838e4a35c Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Fri, 11 Nov 2016 23:57:55 -0600
Subject: [PATCH] Fix exploit allowing dmail filters to be set on other users.

Exploit:

    curl \
      -u $USERNAME:$API_KEY \
      -X PUT "http://danbooru.donmai.us/maintenance/user/dmail_filter.json?dmail_id=1" \
      -d "dmail_filter[words]=owned&dmail_filter[user_id]=2"

...where dmail_id is any dmail you own (doesn't matter which) and user_id is the victim.
---
 app/controllers/maintenance/user/dmail_filters_controller.rb | 2 +-
 app/models/dmail_filter.rb                                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/maintenance/user/dmail_filters_controller.rb b/app/controllers/maintenance/user/dmail_filters_controller.rb
index 1d7b06d00..50ca9cb8d 100644
--- a/app/controllers/maintenance/user/dmail_filters_controller.rb
+++ b/app/controllers/maintenance/user/dmail_filters_controller.rb
@@ -10,7 +10,7 @@ module Maintenance
 
       def update
         @dmail_filter = CurrentUser.dmail_filter || DmailFilter.new
-        @dmail_filter.update_attributes(params[:dmail_filter])
+        @dmail_filter.update(params.require(:dmail_filter).permit(:words), :as => CurrentUser.role)
         flash[:notice] = "Filter updated"
         redirect_to(dmail_path(@dmail.id))
       end
diff --git a/app/models/dmail_filter.rb b/app/models/dmail_filter.rb
index b35a9a238..9a2e52c6a 100644
--- a/app/models/dmail_filter.rb
+++ b/app/models/dmail_filter.rb
@@ -1,6 +1,6 @@
 class DmailFilter < ActiveRecord::Base
   belongs_to :user
-  attr_accessible :user_id, :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
+  attr_accessible :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
   validates_presence_of :user
   before_validation :initialize_user