The test email action should use POST only (CSRF protection)
Right now, an attacker can craft cross-site requests to a Redmine instance under the active session of an administrator which would allow it to send a large amount of test emails to this user. This is possible with a simple
img tag like this:
<img src="http://redmine.org/admin/test_email" />
The attached patch fixes this vulnerability by changing the enforced HTTP request method from GET to POST. The patch was extracted from Planio. It applies cleanly on today's trunk.