From 30e0154e5d3a1a574e30cc8fd68c5925b6c11080 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Mon, 19 Dec 2016 10:11:51 +1100
Subject: [PATCH] SECURITY: fix reflected XSS with safe_mode param

(only applies to beta and master)
---
 app/helpers/application_helper.rb             | 28 +++++++++++++++----
 .../common/_discourse_javascript.html.erb     |  2 +-
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index e13539e6471..721f68e57b0 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -241,19 +241,35 @@ module ApplicationHelper
     MobileDetection.mobile_device?(request.user_agent)
   end
 
+  NO_CUSTOM = "no_custom".freeze
+  NO_PLUGINS = "no_plugins".freeze
+  ONLY_OFFICIAL = "only_official".freeze
+  SAFE_MODE = "safe_mode".freeze
+
   def customization_disabled?
-    safe_mode = params["safe_mode"]
-    session[:disable_customization] || (safe_mode && safe_mode.include?("no_custom"))
+    safe_mode = params[SAFE_MODE]
+    session[:disable_customization] || (safe_mode && safe_mode.include?(NO_CUSTOM))
   end
 
   def allow_plugins?
-    safe_mode = params["safe_mode"]
-    !(safe_mode && safe_mode.include?("no_plugins"))
+    safe_mode = params[SAFE_MODE]
+    !(safe_mode && safe_mode.include?(NO_PLUGINS))
   end
 
   def allow_third_party_plugins?
-    safe_mode = params["safe_mode"]
-    !(safe_mode && (safe_mode.include?("no_plugins") || safe_mode.include?("only_official")))
+    safe_mode = params[SAFE_MODE]
+    !(safe_mode && (safe_mode.include?(NO_PLUGINS) || safe_mode.include?(ONLY_OFFICIAL)))
+  end
+
+  def normalized_safe_mode
+    mode_string = params["safe_mode"]
+    safe_mode = nil
+    (safe_mode ||= []) << NO_CUSTOM if mode_string.include?(NO_CUSTOM)
+    (safe_mode ||= []) << NO_PLUGINS if mode_string.include?(NO_PLUGINS)
+    (safe_mode ||= []) << ONLY_OFFICIAL if mode_string.include?(ONLY_OFFICIAL)
+    if safe_mode
+      safe_mode.join(",").html_safe
+    end
   end
 
   def loading_admin?
diff --git a/app/views/common/_discourse_javascript.html.erb b/app/views/common/_discourse_javascript.html.erb
index c214d5e1fda..9e2da0a9005 100644
--- a/app/views/common/_discourse_javascript.html.erb
+++ b/app/views/common/_discourse_javascript.html.erb
@@ -53,7 +53,7 @@
     Discourse.set('assetVersion','<%= Discourse.assets_digest %>');
     Discourse.Session.currentProp("disableCustomCSS", <%= loading_admin? %>);
     <%- if params["safe_mode"] %>
-        Discourse.Session.currentProp("safe_mode", <%= params["safe_mode"].inspect.html_safe %>);
+        Discourse.Session.currentProp("safe_mode", <%= normalized_safe_mode.inspect.html_safe %>);
     <%- end %>
     Discourse.HighlightJSPath = <%= HighlightJs.path.inspect.html_safe %>;
     <%- if SiteSetting.enable_s3_uploads %>