IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: Post#each_upload_url yielding external URLs (#27149)

Browse Source 
This commit updates `Post#each_upload_url` to reject URLs that do not
have a host which matches `Discourse.current_hostname` but follows the
`/uploads/short-url` uploads URL format. This situation most commonly
happen when users copy upload URL link between different Discourse
sites.
This commit is contained in:
Alan Guo Xiang Tan
2024-05-23 13:15:16 +08:00
committed by GitHub
parent 13848594d2
commit f84eda7c8d
2 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
app/models/post.rb
View File

@@ -1142,6 +1142,7 @@ class Post < ActiveRecord::Base
def each_upload_url(fragments: nil, include_local_upload: true)
current_db = RailsMultisite::ConnectionManagement.current_db
upload_patterns = [
%r{/uploads/#{current_db}/},
%r{/original/},
@@ -1150,6 +1151,7 @@ class Post < ActiveRecord::Base
]
fragments ||= Nokogiri::HTML5.fragment(self.cooked)
selectors =
fragments.css(
"a/@href",
@@ -1183,7 +1185,17 @@ class Post < ActiveRecord::Base
sha1 = Upload.sha1_from_short_url(src)
yield(src, nil, sha1)
next
elsif src.include?("/uploads/short-url/")
end
if src.include?("/uploads/short-url/")
host =
begin
URI(src).host
rescue URI::Error
end
next if host.present? && host != Discourse.current_hostname
sha1 = Upload.sha1_from_short_path(src)
yield(src, nil, sha1)
next
@@ -1193,6 +1205,7 @@ class Post < ActiveRecord::Base
next if Rails.configuration.multisite && src.exclude?(current_db)
src = "#{SiteSetting.force_https ? "https" : "http"}:#{src}" if src.start_with?("//")
if !Discourse.store.has_been_uploaded?(src) && !Upload.secure_uploads_url?(src) &&
!(include_local_upload && src =~ %r{\A/[^/]}i)
next
@@ -1226,6 +1239,7 @@ class Post < ActiveRecord::Base
DistributedMutex.synchronize("find_missing_uploads", validity: 30.minutes) do
PostCustomField.where(name: Post::MISSING_UPLOADS).delete_all
query =
Post
.have_uploads