[Git][noosfero/noosfero][master] 2 commits: Fix template params leak in mail with template

[Victor Costa]

Victor Costa pushed to branch master at Noosfero / noosfero


Commits:
1253d22d by Victor Costa at 2016-08-01T10:16:32-03:00
Fix template params leak in mail with template

Closes #210

- - - - -
e1cb8ef0 by Victor Costa at 2016-08-01T14:03:59+00:00
Merge branch 'fix_template_leak' into 'master'

Fix template params leak in mail with template

Closes #210

See merge request !992
- - - - -


2 changed files:

- app/helpers/email_template_helper.rb
- test/unit/user_mailer_test.rb


Changes:

=====================================
app/helpers/email_template_helper.rb
=====================================
--- a/app/helpers/email_template_helper.rb
+++ b/app/helpers/email_template_helper.rb
@@ -6,7 +6,7 @@ module EmailTemplateHelper
       params[:subject] = params[:email_template].parsed_subject(params[:template_params])
       params[:content_type] = "text/html"
     end
-    mail(params.except(:email_template))
+    mail(params.except(:email_template, :template_params))
   end
 
 end


=====================================
test/unit/user_mailer_test.rb
=====================================
--- a/test/unit/user_mailer_test.rb
+++ b/test/unit/user_mailer_test.rb
@@ -44,6 +44,16 @@ fast_create(Person))
     assert_equal 'activation template body', mail.body.to_s
   end
 
+  should 'not leak template params into activation email' do
+    EmailTemplate.create!(:template_type => :user_activation, :name => 'template1', :subject => 'activation template subject', :body => 'activation template body', :owner => Environment.default)
+    assert_difference 'ActionMailer::Base.deliveries.size' do
+      u = create_user('some-user')
+      UserMailer.activation_code(u).deliver
+    end
+    mail = ActionMailer::Base.deliveries.last
+    assert_nil mail['template-params']
+  end
+
   private
 
     def read_fixture(action)



View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/a01942280e93772a0dd196912e50fac02db150b4...e1cb8ef004d09c9bdf8a0f01b9abab5b7f6b8494
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160801/183b1b52/attachment-0001.html>