IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: ignore invalid usernames in incoming link tracker

Browse Source 
If an incoming link username has NULL in it simply ignore it
This commit is contained in:
Sam 2018-09-04 12:28:22 +10:00
parent 8dc1463ab3
commit ad70502ab8
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/models/incoming_link.rb
View File

@ -1,3 +1,5 @@
# frozen_string_literal: true
class IncomingLink < ActiveRecord::Base class IncomingLink < ActiveRecord::Base
belongs_to :post belongs_to :post
belongs_to :user belongs_to :user
@ -15,7 +17,8 @@ class IncomingLink < ActiveRecord::Base
current_user = opts[:current_user] current_user = opts[:current_user]
username = opts[:username] username = opts[:username]
username = nil unless String === username username = nil if !(String === username)
username = nil if username&.include?("\0")
if username if username
u = User.select(:id).find_by(username_lower: username.downcase) u = User.select(:id).find_by(username_lower: username.downcase)
user_id = u.id if u user_id = u.id if u

6
spec/models/incoming_link_spec.rb
View File

@ -49,6 +49,12 @@ describe IncomingLink do
IncomingLink.add(req(opts)) IncomingLink.add(req(opts))
end end
it "does not explode with bad username" do
add(
username: "test\0test"
)
end
it "does not explode with bad referer" do it "does not explode with bad referer" do
add( add(
referer: 'file:///Applications/Install/75067ABC-C9D1-47B7-8ACE-76AEDE3911B2/Install/', referer: 'file:///Applications/Install/75067ABC-C9D1-47B7-8ACE-76AEDE3911B2/Install/',