mirror of
https://github.com/discourse/discourse.git
synced 2024-11-30 04:34:13 -06:00
5878535606
What is the problem? In `SvgSpriteController#search` and `SvgSpriteController#icon_picker_search`, the controller actions was using the `RailsMultisite::ConnectionManagement.with_hostname` API but `params[:hostname]` was always `nil` because the routes does not have a `:hostname` param component and the client does not ever pass the `:hostname` param when making the request. When `RailsMultisite::ConnectionManagement.with_hostname` is used with a `nil` argument, it ends up connecting to the default multisite database. Usually this would be bad because we're allowing a site in a multisite setup to connect to another site but thankfully no private data is being leaked here. What is the fix? Since `SvgSpriteController#search` and `SvgSpriteController#icon_picker_search` are login required route, there is no need for us to switch database connections. The fix here is to simply remove the use of `RailsMultisite::ConnectionManagement.with_hostname`.
89 lines
2.5 KiB
Ruby
89 lines
2.5 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class SvgSpriteController < ApplicationController
|
|
skip_before_action :preload_json,
|
|
:redirect_to_login_if_required,
|
|
:check_xhr,
|
|
:verify_authenticity_token,
|
|
only: %i[show search svg_icon]
|
|
|
|
before_action :apply_cdn_headers, only: %i[show search svg_icon]
|
|
|
|
requires_login except: %i[show svg_icon]
|
|
|
|
def show
|
|
no_cookies
|
|
|
|
RailsMultisite::ConnectionManagement.with_hostname(params[:hostname]) do
|
|
theme_id = params[:theme_id].to_i if params[:theme_id].present?
|
|
|
|
if SvgSprite.version(theme_id) != params[:version]
|
|
return redirect_to UrlHelper.absolute((SvgSprite.path(theme_id))), allow_other_host: true
|
|
end
|
|
|
|
svg_sprite = "window.__svg_sprite = #{SvgSprite.bundle(theme_id).inspect};"
|
|
|
|
response.headers["Last-Modified"] = 10.years.ago.httpdate
|
|
response.headers["Content-Length"] = svg_sprite.bytesize.to_s
|
|
immutable_for 1.year
|
|
|
|
render plain: svg_sprite, disposition: nil, content_type: "application/javascript"
|
|
end
|
|
end
|
|
|
|
def search
|
|
keyword = params.require(:keyword)
|
|
data = SvgSprite.search(keyword)
|
|
|
|
if data.blank?
|
|
render body: nil, status: 404
|
|
else
|
|
render plain: data.inspect, disposition: nil, content_type: "text/plain"
|
|
end
|
|
end
|
|
|
|
def icon_picker_search
|
|
params.permit(:filter, :only_available)
|
|
filter = params[:filter] || ""
|
|
only_available = params[:only_available]
|
|
|
|
icons = SvgSprite.icon_picker_search(filter, only_available)
|
|
render json: icons.take(200), root: false
|
|
end
|
|
|
|
def svg_icon
|
|
no_cookies
|
|
|
|
RailsMultisite::ConnectionManagement.with_hostname(params[:hostname]) do
|
|
params.permit(:color)
|
|
name = params.require(:name)
|
|
icon = SvgSprite.search(name)
|
|
|
|
if icon.blank?
|
|
render body: nil, status: 404
|
|
else
|
|
doc = Nokogiri.XML(icon)
|
|
doc.at_xpath("symbol").name = "svg"
|
|
doc.at_xpath("svg")["xmlns"] = "http://www.w3.org/2000/svg"
|
|
doc.at_xpath("svg")["fill"] = adjust_hex(params[:color]) if params[:color]
|
|
|
|
response.headers["Last-Modified"] = 1.years.ago.httpdate
|
|
response.headers["Content-Length"] = doc.to_s.bytesize.to_s
|
|
immutable_for 1.day
|
|
|
|
render plain: doc, disposition: nil, content_type: "image/svg+xml"
|
|
end
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def adjust_hex(hex)
|
|
if hex.size == 3
|
|
chars = hex.scan(/\w/)
|
|
hex = chars.zip(chars).flatten.join
|
|
end
|
|
"##{hex}"
|
|
end
|
|
end
|