TheDude
/
openproject
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix vulnerability in meeting copy. myproject #3710

Browse Source
pull/6827/head
Felix Schäfer 14 years ago committed by Felix Schäfer
parent 8a35eca98c
commit 033a072b88
3 changed files with 9 additions and 11 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 15
      app/controllers/meetings_controller.rb
  2. 3
      app/views/meetings/_form.html.erb
  3. 2
      init.rb

15
app/controllers/meetings_controller.rb
Unescape View File

@ -23,14 +23,10 @@ class MeetingsController < ApplicationController
def create
@meeting.participants.clear # Start with a clean set of participants
@meeting.attributes = params[:meeting]
begin
if (agenda = Meeting.find(params[:copy_from_id]).agenda).present?
@meeting.agenda = MeetingAgenda.new(:text => agenda.text,
:comment => "Copied from Meeting ##{params[:copy_from_id]}",
:author => User.current)
end
rescue ActiveRecord::RecordNotFound
end if params[:copy_from_id].present?
@meeting.agenda = MeetingAgenda.new(:text => params[:copied_meeting_agenda_text],
:comment => "Copied from Meeting ##{params[:copied_from_meeting_id]}",
:author => User.current
) if params[:copied_from_meeting_id].present? && params[:copied_meeting_agenda_text].present?
if @meeting.save
flash[:notice] = l(:notice_successful_create)
redirect_to :action => 'show', :id => @meeting
@ -43,7 +39,8 @@ class MeetingsController < ApplicationController
end
def copy
params[:copy_from_id] = @meeting.id
params[:copied_from_meeting_id] = @meeting.id
params[:copied_meeting_agenda_text] = @meeting.agenda.text if @meeting.agenda.present?
@meeting = @meeting.copy(:author => User.current, :start_time => nil)
render :action => 'new', :project_id => @project
end

3
app/views/meetings/_form.html.erb
Unescape View File

@ -30,7 +30,8 @@
</tbody>
</table>
</div>
<%= hidden_field_tag "copy_from_id", params[:copy_from_id] if params[:copy_from_id].present? %>
<%= hidden_field_tag "copied_from_meeting_id", params[:copied_from_meeting_id] if params[:copied_from_meeting_id].present? %>
<%= hidden_field_tag "copied_meeting_agenda_text", params[:copied_meeting_agenda_text] if params[:copied_meeting_agenda_text].present? %>
</div>
<% content_for :header_tags do %>

2
init.rb
Unescape View File

@ -14,7 +14,7 @@ Redmine::Plugin.register :redmine_meeting do
author_url 'http://finn.de/team'
description 'This plugin adds a meeting module with functionality to plan an agenda and save the minutes of a meeting.'
url 'http://finn.de'
version '1.2.0'
version '1.2.1'
requires_redmine :version_or_higher => '1.0'

Write Preview
Loading…
Cancel
Save