IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-20 11:48:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: don't onebox whispers

Browse Source
This commit is contained in:
Sam 2018-02-16 08:56:13 +11:00
parent 32ad98161f
commit cda3f72ab8
2 changed files with 31 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
lib/oneboxer.rb
View File

@ -170,16 +170,26 @@ module Oneboxer
return unless Guardian.new(current_user).can_see_category?(current_category) return unless Guardian.new(current_user).can_see_category?(current_category)
end end
topic = Topic.find_by(id: route[:topic_id])
return unless topic
return if topic.private_message?
if current_category&.id != topic.category_id
return unless Guardian.new.can_see_topic?(topic)
end
post = nil
post_number = route[:post_number].to_i
if post_number > 1
post = topic.posts.where(post_number: route[:post_number].to_i).first
else
post = topic.ordered_posts.first
end
return if !post || post.hidden || post.post_type != Post.types[:regular]
if route[:post_number].to_i > 1 if route[:post_number].to_i > 1
post = Post.find_by(topic_id: route[:topic_id], post_number: route[:post_number])
return if !post || post.hidden || post.topic.private_message?
if current_category&.id != post.topic.category_id
return if !Guardian.new.can_see_post?(post)
end
topic = post.topic
excerpt = post.excerpt(SiteSetting.post_onebox_maxlength) excerpt = post.excerpt(SiteSetting.post_onebox_maxlength)
excerpt.gsub!(/[\r\n]+/, " ") excerpt.gsub!(/[\r\n]+/, " ")
excerpt.gsub!("[/quote]", "[quote]") # don't break my quote excerpt.gsub!("[/quote]", "[quote]") # don't break my quote
@ -188,23 +198,13 @@ module Oneboxer
PrettyText.cook(quote) PrettyText.cook(quote)
else else
topic = Topic.find_by(id: route[:topic_id])
return if !topic || topic.private_message?
if current_category&.id != topic.category_id
return if !Guardian.new.can_see_topic?(topic)
end
first_post = topic.ordered_posts.first
args = { args = {
topic_id: topic.id, topic_id: topic.id,
avatar: PrettyText.avatar_img(topic.user.avatar_template, "tiny"), avatar: PrettyText.avatar_img(topic.user.avatar_template, "tiny"),
original_url: url, original_url: url,
title: PrettyText.unescape_emoji(CGI::escapeHTML(topic.title)), title: PrettyText.unescape_emoji(CGI::escapeHTML(topic.title)),
category_html: CategoryBadge.html_for(topic.category), category_html: CategoryBadge.html_for(topic.category),
quote: first_post.excerpt(SiteSetting.post_onebox_maxlength), quote: post.excerpt(SiteSetting.post_onebox_maxlength),
} }
template = File.read("#{Rails.root}/lib/onebox/templates/discourse_topic_onebox.hbs") template = File.read("#{Rails.root}/lib/onebox/templates/discourse_topic_onebox.hbs")

11
spec/controllers/onebox_controller_spec.rb
View File

@ -139,6 +139,17 @@ describe OneboxController do
expect(response.body).not_to include('blockquote') expect(response.body).not_to include('blockquote')
end end
it 'does not allow whisper onebox' do
log_in
post = create_post
whisper = create_post(topic_id: post.topic_id, post_type: Post.types[:whisper])
url = Discourse.base_url + whisper.url
get :show, params: { url: url }, format: :json
expect(response.body).not_to include('blockquote')
end
it 'allows onebox to public topics/posts in PM' do it 'allows onebox to public topics/posts in PM' do
log_in log_in