From 325bccc1649c928d512ce7c7b11e14566a8c9eeb Mon Sep 17 00:00:00 2001
From: Azul <azul@riseup.net>
Date: Sun, 17 Sep 2017 09:54:55 +0200
Subject: fix: sanity checks on user params

fixes #8801

Includes a test reproducing 500 on lynx

We now make use of ActionController::Parameters require and permit
methods.
---
 app/controllers/api/users_controller.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'app/controllers/api/users_controller.rb')

diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index 709e076..cb7b7bc 100644
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -53,7 +53,7 @@ module Api
     end
 
     def update
-      @user.account.update params[:user]
+      @user.account.update user_update_params
       respond_with @user
     end
 
@@ -67,6 +67,15 @@ module Api
 
     private
 
+    def user_update_params
+      params.require(:user).permit :login,
+        :password_verifier,
+        :password_salt,
+        :recovery_code_verifier,
+        :recovery_code_salt,
+        :public_key
+    end
+
     def release_handles
       current_user.is_monitor? || params[:identities] == "destroy"
     end
-- 
cgit v1.2.3