seanpdoyle
diff --git a/‎actionmailbox/app/controllers/rails/conductor/action_mailbox/inbound_emails_controller.rb
Lines changed: 1 addition & 1 deletion b/‎actionmailbox/app/controllers/rails/conductor/action_mailbox/inbound_emails_controller.rb
Lines changed: 1 addition & 1 deletion
diff --git a/‎actionmailbox/test/dummy/public/400.html
Lines changed: 67 additions & 0 deletions b/‎actionmailbox/test/dummy/public/400.html
Lines changed: 67 additions & 0 deletions
diff --git a/‎actionpack/CHANGELOG.md
Lines changed: 47 additions & 0 deletions b/‎actionpack/CHANGELOG.md
Lines changed: 47 additions & 0 deletions
@@ -31,7 +31,7 @@ def new_mail
       end
 
       def mail_params
-        params.require(:mail).permit(:from, :to, :cc, :bcc, :x_original_to, :in_reply_to, :subject, :body, attachments: [])
+        params.expect(mail: [:from, :to, :cc, :bcc, :x_original_to, :in_reply_to, :subject, :body, attachments: []])
       end
 
       def create_inbound_email(mail)
 
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The server cannot process the request due to a client error (400)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  .rails-default-error-page {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  .rails-default-error-page div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  .rails-default-error-page div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  .rails-default-error-page h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  .rails-default-error-page div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body class="rails-default-error-page">
+  <!-- This file lives in public/400.html -->
+  <div class="dialog">
+    <div>
+      <h1>The server cannot process the request due to a client error.</h1>
+      <p>Please check the request and try again.</p>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>
@@ -1,3 +1,50 @@
+*   Introduce safer, more explicit params handling method with `params#expect` such that
+    `params.expect(table: [ :attr ])` replaces `params.require(:table).permit(:attr)`
+
+    Ensures params are filtered with consideration for the expected
+    types of values, improving handling of params and avoiding ignorable
+    errors caused by params tampering.
+
+    ```ruby
+    # If the url is altered to ?person=hacked
+    # Before
+    params.require(:person).permit(:name, :age, pets: [:name])
+    # raises NoMethodError, causing a 500 and potential error reporting
+
+    # After
+    params.expect(person: [ :name, :age, pets: [[:name]] ])
+    # raises ActionController::ParameterMissing, correctly returning a 400 error
+    ```
+
+    You may also notice the new double array `[[:name]]`. In order to
+    declare when a param is expected to be an array of parameter hashes,
+    this new double array syntax is used to explicitly declare an array.
+    `expect` requires you to declare expected arrays in this way, and will
+    ignore arrays that are passed when, for example, `pet: [:name]` is used.
+
+    In order to preserve compatibility, `permit` does not adopt the new
+    double array syntax and is therefore more permissive about unexpected
+    types. Using `expect` everywhere is recommended.
+
+    We suggest replacing `params.require(:person).permit(:name, :age)`
+    with the direct replacement `params.expect(person: [:name, :age])`
+    to prevent external users from manipulating params to trigger 500
+    errors. A 400 error will be returned instead, using public/400.html
+
+    Usage of `params.require(:id)` should likewise be replaced with
+    `params.expect(:id)` which is designed to ensure that `params[:id]`
+    is a scalar and not an array or hash, also requiring the param.
+
+    ```ruby
+    # Before
+    User.find(params.require(:id)) # allows an array, altering behavior
+
+    # After
+    User.find(params.expect(:id)) # expect only returns non-blank permitted scalars (excludes Hash, Array, nil, "", etc)
+    ```
+
+    *Martin Emde*
+
 *   System Testing: Disable Chrome's search engine choice by default in system tests.
 
     *glaszig*