From d6da1499fc7c86a5bb175a1bf0bf974c36003523 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 11 Jan 2022 19:42:31 +0000
Subject: [PATCH] Avoid putting ActionController::Parameters objects in the
 session

---
 app/controllers/accounts_controller.rb   |  6 ++++--
 app/controllers/concerns/user_methods.rb | 12 ++++++------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb
index 3b540234b..06eb031c4 100644
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -35,17 +35,19 @@ class AccountsController < ApplicationController
       :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
     )
 
+    user_params = params.require(:user).permit(:display_name, :new_email, :pass_crypt, :pass_crypt_confirmation, :auth_provider)
+
     if params[:user][:auth_provider].blank? ||
        (params[:user][:auth_provider] == current_user.auth_provider &&
         params[:user][:auth_uid] == current_user.auth_uid)
-      update_user(current_user, params)
+      update_user(current_user, user_params)
       if current_user.errors.count.zero?
         redirect_to edit_account_path
       else
         render :edit
       end
     else
-      session[:new_user_settings] = params
+      session[:new_user_settings] = user_params.to_h
       redirect_to auth_url(params[:user][:auth_provider], params[:user][:auth_uid]), :status => :temporary_redirect
     end
   end
diff --git a/app/controllers/concerns/user_methods.rb b/app/controllers/concerns/user_methods.rb
index 9099b37c9..81e9f0064 100644
--- a/app/controllers/concerns/user_methods.rb
+++ b/app/controllers/concerns/user_methods.rb
@@ -6,15 +6,15 @@ module UserMethods
   ##
   # update a user's details
   def update_user(user, params)
-    user.display_name = params[:user][:display_name]
-    user.new_email = params[:user][:new_email]
+    user.display_name = params[:display_name]
+    user.new_email = params[:new_email]
 
-    unless params[:user][:pass_crypt].empty? && params[:user][:pass_crypt_confirmation].empty?
-      user.pass_crypt = params[:user][:pass_crypt]
-      user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
+    unless params[:pass_crypt].empty? && params[:pass_crypt_confirmation].empty?
+      user.pass_crypt = params[:pass_crypt]
+      user.pass_crypt_confirmation = params[:pass_crypt_confirmation]
     end
 
-    if params[:user][:auth_provider].nil? || params[:user][:auth_provider].blank?
+    if params[:auth_provider].nil? || params[:auth_provider].blank?
       user.auth_provider = nil
       user.auth_uid = nil
     end
-- 
2.45.2