github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-22 23:15:53 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: fix reflected XSS with safe_mode param

Browse Source 
(only applies to beta and master)
This commit is contained in:
Sam 2016-12-19 10:11:51 +11:00
parent 81956cb1d6
commit 30e0154e5d
2 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
app/helpers/application_helper.rb
View File

@ -241,19 +241,35 @@ module ApplicationHelper
MobileDetection.mobile_device?(request.user_agent) MobileDetection.mobile_device?(request.user_agent)
end end
NO_CUSTOM = "no_custom".freeze
NO_PLUGINS = "no_plugins".freeze
ONLY_OFFICIAL = "only_official".freeze
SAFE_MODE = "safe_mode".freeze
def customization_disabled? def customization_disabled?
safe_mode = params["safe_mode"] safe_mode = params[SAFE_MODE]
session[:disable_customization] || (safe_mode && safe_mode.include?("no_custom")) session[:disable_customization] || (safe_mode && safe_mode.include?(NO_CUSTOM))
end end
def allow_plugins? def allow_plugins?
safe_mode = params["safe_mode"] safe_mode = params[SAFE_MODE]
!(safe_mode && safe_mode.include?("no_plugins")) !(safe_mode && safe_mode.include?(NO_PLUGINS))
end end
def allow_third_party_plugins? def allow_third_party_plugins?
safe_mode = params["safe_mode"] safe_mode = params[SAFE_MODE]
!(safe_mode && (safe_mode.include?("no_plugins") || safe_mode.include?("only_official"))) !(safe_mode && (safe_mode.include?(NO_PLUGINS) || safe_mode.include?(ONLY_OFFICIAL)))
end
def normalized_safe_mode
mode_string = params["safe_mode"]
safe_mode = nil
(safe_mode ||= []) << NO_CUSTOM if mode_string.include?(NO_CUSTOM)
(safe_mode ||= []) << NO_PLUGINS if mode_string.include?(NO_PLUGINS)
(safe_mode ||= []) << ONLY_OFFICIAL if mode_string.include?(ONLY_OFFICIAL)
if safe_mode
safe_mode.join(",").html_safe
end
end end
def loading_admin? def loading_admin?

2
app/views/common/_discourse_javascript.html.erb
View File

@ -53,7 +53,7 @@
Discourse.set('assetVersion','<%= Discourse.assets_digest %>'); Discourse.set('assetVersion','<%= Discourse.assets_digest %>');
Discourse.Session.currentProp("disableCustomCSS", <%= loading_admin? %>); Discourse.Session.currentProp("disableCustomCSS", <%= loading_admin? %>);
<%- if params["safe_mode"] %> <%- if params["safe_mode"] %>
Discourse.Session.currentProp("safe_mode", <%= params["safe_mode"].inspect.html_safe %>); Discourse.Session.currentProp("safe_mode", <%= normalized_safe_mode.inspect.html_safe %>);
<%- end %> <%- end %>
Discourse.HighlightJSPath = <%= HighlightJs.path.inspect.html_safe %>; Discourse.HighlightJSPath = <%= HighlightJs.path.inspect.html_safe %>;
<%- if SiteSetting.enable_s3_uploads %> <%- if SiteSetting.enable_s3_uploads %>