From 5673c4d2accf1da092d7741418e994bc3376f0e5 Mon Sep 17 00:00:00 2001
From: Brad Rydzewski <brad.rydzewski@gmail.com>
Date: Tue, 25 Feb 2014 16:48:43 -0700
Subject: [PATCH] only inject private parameters for non-pull requests, for
 security purposes

---
 pkg/queue/worker.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkg/queue/worker.go b/pkg/queue/worker.go
index a43071091..9038e50b8 100644
--- a/pkg/queue/worker.go
+++ b/pkg/queue/worker.go
@@ -108,8 +108,9 @@ func (w *worker) execute(task *BuildTask) error {
 	var buf = &bufferWrapper{channel: consoleslug}
 
 	// append private parameters to the environment
-	// variable section of the .drone.yml file
-	if task.Repo.Params != nil {
+	// variable section of the .drone.yml file, iff
+	// this is not a pull request (for security purposes)
+	if task.Repo.Params != nil && len(task.Commit.PullRequest) == 0 {
 		for k, v := range task.Repo.Params {
 			task.Script.Env = append(task.Script.Env, k+"="+v)
 		}