github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-24 16:06:40 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Stop secure media URLs being censored too liberally in emails (#8817)

Browse Source 
For example /t/ URLs were being replaced if they contained secure-media-uploads so if you made a topic called "Secure Media Uploads Are Cool" the View Topic link in the user notifications would be stripped out.

Refactored code so this secure URL detection happens in one place.
This commit is contained in:
Martin Brennan 2020-01-30 16:19:14 +10:00 committed by GitHub
parent c84652eb8b
commit 1150cd4621
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/models/upload.rb
View File

@ -128,7 +128,9 @@ class Upload < ActiveRecord::Base
end
def self.secure_media_url?(url)
url.include?(SECURE_MEDIA_ROUTE)
# we do not want to exclude topic links that for whatever reason
# have secure-media-uploads in the URL e.g. /t/secure-media-uploads-are-cool/223452
url.include?(SECURE_MEDIA_ROUTE) && !url.include?("/t/") && FileHelper.is_supported_media?(url)
end
def self.signed_url_from_secure_media_url(url)

7
lib/email/styles.rb
View File

@ -288,15 +288,14 @@ module Email
def replace_secure_media_urls
@fragment.css('[href]').each do |a|
if a['href'][/#{Upload::SECURE_MEDIA_ROUTE}/]
if Upload.secure_media_url?(a['href'])
a.add_next_sibling "<p class='secure-media-notice'>#{I18n.t("emails.secure_media_placeholder")}</p>"
a.remove
end
end
@fragment.search('img').each do |img|
next unless img['src']
if img['src'][/#{Upload::SECURE_MEDIA_ROUTE}/]
@fragment.search('img[src]').each do |img|
if Upload.secure_media_url?(img['src'])
img.add_next_sibling "<p class='secure-media-notice'>#{I18n.t("emails.secure_media_placeholder")}</p>"
img.remove
end

2
lib/pretty_text.rb
View File

@ -388,7 +388,7 @@ module PrettyText
def self.strip_secure_media(doc)
doc.css("a[href]").each do |a|
if a["href"].include?("/#{Upload::SECURE_MEDIA_ROUTE}/") && FileHelper.is_supported_media?(a["href"])
if Upload.secure_media_url?(a["href"])
target = %w(video audio).include?(a&.parent&.parent&.name) ? a.parent.parent : a
target.replace "<p class='secure-media-notice'>#{I18n.t("emails.secure_media_placeholder")}</p>"
end

6
spec/components/email/styles_spec.rb
View File

@ -212,6 +212,10 @@ describe Email::Styles do
expect(frag.at('p.secure-media-notice')).to be_present
expect(frag.at('img')).not_to be_present
end
end
it "does not replace topic links with secure-media-uploads in the name" do
frag = html_fragment("<a href=\"#{Discourse.base_url}\/t/secure-media-uploads/235723\">Visit Topic</a>")
expect(frag.at('p.secure-media-notice')).not_to be_present
end
end
end