[Git][noosfero/noosfero][master] 2 commits: Fix template params leak in mail with template
Victor Costa
gitlab at mg.gitlab.com
Mon Aug 1 11:04:37 BRT 2016
Victor Costa pushed to branch master at Noosfero / noosfero
Commits:
1253d22d by Victor Costa at 2016-08-01T10:16:32-03:00
Fix template params leak in mail with template
Closes #210
- - - - -
e1cb8ef0 by Victor Costa at 2016-08-01T14:03:59+00:00
Merge branch 'fix_template_leak' into 'master'
Fix template params leak in mail with template
Closes #210
See merge request !992
- - - - -
2 changed files:
- app/helpers/email_template_helper.rb
- test/unit/user_mailer_test.rb
Changes:
=====================================
app/helpers/email_template_helper.rb
=====================================
--- a/app/helpers/email_template_helper.rb
+++ b/app/helpers/email_template_helper.rb
@@ -6,7 +6,7 @@ module EmailTemplateHelper
params[:subject] = params[:email_template].parsed_subject(params[:template_params])
params[:content_type] = "text/html"
end
- mail(params.except(:email_template))
+ mail(params.except(:email_template, :template_params))
end
end
=====================================
test/unit/user_mailer_test.rb
=====================================
--- a/test/unit/user_mailer_test.rb
+++ b/test/unit/user_mailer_test.rb
@@ -44,6 +44,16 @@ fast_create(Person))
assert_equal 'activation template body', mail.body.to_s
end
+ should 'not leak template params into activation email' do
+ EmailTemplate.create!(:template_type => :user_activation, :name => 'template1', :subject => 'activation template subject', :body => 'activation template body', :owner => Environment.default)
+ assert_difference 'ActionMailer::Base.deliveries.size' do
+ u = create_user('some-user')
+ UserMailer.activation_code(u).deliver
+ end
+ mail = ActionMailer::Base.deliveries.last
+ assert_nil mail['template-params']
+ end
+
private
def read_fixture(action)
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/a01942280e93772a0dd196912e50fac02db150b4...e1cb8ef004d09c9bdf8a0f01b9abab5b7f6b8494
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160801/183b1b52/attachment-0001.html>
More information about the Noosfero-dev
mailing list