Merge pull request from GHSA-p75c-5x3h-cxcg

steveyken · web-flow · commit c85a2546348c · 2022-10-07T09:05:26.000+08:00
CVE-2022-39281 mitigations
diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb
@@ -189,6 +189,7 @@ def self.find_all_grouped(user, view)
   #----------------------------------------------------------------------------
   def self.bucket_empty?(bucket, user, view = "pending")
     return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+    return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)
 
     if view == "assigned"
       assigned_by(user).send(bucket).pending.count
diff --git a/lib/fat_free_crm/version.rb b/lib/fat_free_crm/version.rb
@@ -9,7 +9,7 @@ module FatFreeCRM
   module VERSION # :nodoc:
     MAJOR = 0
     MINOR = 20
-    TINY  = 0
+    TINY  = 1
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
