IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Limit ThemeField value length to prevent DoS (#22087)

Browse Source 
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
This commit is contained in:
Blake Erickson
2023-06-13 11:07:47 -06:00
committed by GitHub
parent e576fdbe3a
commit 56b74e6042
3 changed files with 46 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/models/theme.rb
View File

@@ -14,7 +14,7 @@ class Theme < ActiveRecord::Base
belongs_to :user
belongs_to :color_scheme
has_many :theme_fields, dependent: :destroy
has_many :theme_fields, dependent: :destroy, validate: false
has_many :theme_settings, dependent: :destroy
has_many :theme_translation_overrides, dependent: :destroy
has_many :child_theme_relation,
@@ -59,6 +59,7 @@ class Theme < ActiveRecord::Base
class_name: "ThemeField"
validate :component_validations
validate :validate_theme_fields
after_create :update_child_components
@@ -300,6 +301,12 @@ class Theme < ActiveRecord::Base
errors.add(:base, I18n.t("themes.errors.component_no_default")) if default?
end
def validate_theme_fields
theme_fields.each do |field|
field.errors.full_messages.each { |message| errors.add(:base, message) } unless field.valid?
end
end
def switch_to_component!
return if component