search

C3S / redmine_openpgp

Redmine plugin for email encryption with the OpenPGP standard
GNU General Public License v3.0
19 stars 10 forks source link

Mass assign warning and NULLs in the database #16

Open wilsoc5 opened 8 years ago

wilsoc5 commented 8 years ago

I'm getting a mass-assignment warning on version 1.0. log file:

Redirected to https://redmineserver/pgp
WARNING: Can't mass-assign protected attributes for Pgpkey: user_id, fpr, secret

Looking at the pgpkeys database table, only NULLs are inserted for user_id, fpr, and secret. Reloading the page for a user results in no key apparently loaded even though the flash showed success. Looking at the GPG key chain, shows the user key in there.

Updating models/pgpkey.rb to:

class Pgpkey < ActiveRecord::Base
  unloadable
  attr_accessible :user_id,:fpr,:secret
  ....

solves the problem and loads the database appropriately.

Environment:
  Redmine version                3.0.1.stable
  Ruby version                   1.9.3-p484 (2013-11-22) [x86_64-linux]
  Rails version                  4.2.0
  Environment                    production
  Database adapter               PostgreSQL
SCM:
  Git                            1.9.1
  Filesystem                     
  Xitolite                       1.9.1
Redmine plugins:
  openpgp                        1.0
  projects_table                 0.0.4
  redmine_banner                 0.1.1
  redmine_bootstrap_kit          0.2.4
  redmine_ckeditor               1.1.3
  redmine_git_hosting            1.2-devel
  redmine_per_project_formatting 0.0.4
  redmine_wiki_extensions        0.7.0
  userproj                       0.0.1
  wiki_latex                     0.1.0
timegrid commented 7 years ago

Thanks for filing the report. I can't reproduce this behavior with:

gnupg    1.4.18
ruby     2.1.5p273
rails    4.2.7.1
redmine  3.1.7 / 3.2.5 / 3.3.2 
gpgme    2.0.12
mail-gpg 0.3.0
openpgp  branch/develop

Also another environment with Rails 4.2.3 is missing those symptoms, and without a deeper look I suspect Rails to be the cause for it.

What causes this message exactly? The context suggests, you tried to save a public pgp key as a normal user.

As I understand, your solution would be less secure without further checks on the user input, so I won't include it without.

On the other hand you might consider to upgrade redmine, as your version is quite old and possibly insecure (see Security Advisories).