Fix: Strip whitespace from email addresses on lost password page (#27754).

Patch by Felix Schäfer. git-svn-id: http://svn.redmine.org/redmine/trunk@17078 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-12-19 23:11:12 +00:00 · 2017-12-08 08:27:27 +00:00 · 2017-12-08 08:27:27 +00:00 · 01085249ab
commit 01085249ab
parent 4e7ae640b9
2 changed files with 16 additions and 1 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@ -98,7 +98,7 @@ class AccountController < ApplicationController
      return
    else
      if request.post?
-        email = params[:mail].to_s
+        email = params[:mail].to_s.strip
        user = User.find_by_mail(email)
        # user not found
        unless user
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@ -385,6 +385,21 @@ class AccountControllerTest < Redmine::ControllerTest
    end
  end

+  def test_lost_password_with_whitespace_should_send_email_to_the_address
+    Token.delete_all
+
+    assert_difference 'ActionMailer::Base.deliveries.size' do
+      assert_difference 'Token.count' do
+        post :lost_password, params: {
+          mail: ' JSmith@somenet.foo  '
+        }
+        assert_redirected_to '/login'
+      end
+    end
+    mail = ActionMailer::Base.deliveries.last
+    assert_equal ['jsmith@somenet.foo'], mail.bcc
+  end
+
  def test_lost_password_using_additional_email_address_should_send_email_to_the_address
    EmailAddress.create!(:user_id => 2, :address => 'anotherAddress@foo.bar')
    Token.delete_all