mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 09:42:02 +08:00
replace the upload type whitelist with a sanitizer
This commit is contained in:
parent
8e5b0c79ae
commit
13e489b4ca
|
@ -5,9 +5,8 @@ class UploadsController < ApplicationController
|
|||
skip_before_filter :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]
|
||||
|
||||
def create
|
||||
type = params.require(:type)
|
||||
|
||||
raise Discourse::InvalidAccess.new unless Upload::UPLOAD_TYPES.include?(type)
|
||||
# 50 characters ought to be enough for the upload type
|
||||
type = params.require(:type).parameterize("_")[0..50]
|
||||
|
||||
if type == "avatar" && (SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
|
||||
return render json: failed_json, status: 422
|
||||
|
|
|
@ -21,9 +21,6 @@ class Upload < ActiveRecord::Base
|
|||
|
||||
validates_with ::Validators::UploadValidator
|
||||
|
||||
CROPPED_TYPES ||= %w{avatar card_background custom_emoji profile_background}.each(&:freeze)
|
||||
UPLOAD_TYPES ||= CROPPED_TYPES + %w{composer category_logo category_background wizard_logo_url wizard_logo_small_url wizard_favicon_url wizard_apple_touch_icon_url}.each(&:freeze)
|
||||
|
||||
def thumbnail(width = self.width, height = self.height)
|
||||
optimized_images.find_by(width: width, height: height)
|
||||
end
|
||||
|
|
|
@ -5,10 +5,12 @@ class UploadCreator
|
|||
|
||||
TYPES_CONVERTED_TO_JPEG ||= %i{bmp png}
|
||||
|
||||
TYPES_TO_CROP ||= %w{avatar card_background custom_emoji profile_background}.each(&:freeze)
|
||||
|
||||
WHITELISTED_SVG_ELEMENTS ||= %w{
|
||||
circle clippath defs ellipse g line linearGradient path polygon polyline
|
||||
radialGradient rect stop svg text textpath tref tspan use
|
||||
}
|
||||
}.each(&:freeze)
|
||||
|
||||
# Available options
|
||||
# - type (string)
|
||||
|
@ -177,7 +179,7 @@ class UploadCreator
|
|||
end
|
||||
|
||||
def should_crop?
|
||||
Upload::CROPPED_TYPES.include?(@opts[:type])
|
||||
TYPES_TO_CROP.include?(@opts[:type])
|
||||
end
|
||||
|
||||
def crop!
|
||||
|
|
|
@ -33,18 +33,13 @@ describe UploadsController do
|
|||
})
|
||||
end
|
||||
|
||||
it 'fails if type is invalid' do
|
||||
xhr :post, :create, file: logo, type: "invalid type cause has space"
|
||||
expect(response.status).to eq 403
|
||||
it 'expects a type' do
|
||||
expect { xhr :post, :create, file: logo }.to raise_error(ActionController::ParameterMissing)
|
||||
end
|
||||
|
||||
xhr :post, :create, file: logo, type: "\\invalid"
|
||||
expect(response.status).to eq 403
|
||||
|
||||
xhr :post, :create, file: logo, type: "invalid."
|
||||
expect(response.status).to eq 403
|
||||
|
||||
xhr :post, :create, file: logo, type: "toolong"*100
|
||||
expect(response.status).to eq 403
|
||||
it 'parameterize the type' do
|
||||
subject.expects(:create_upload).with(logo, nil, "super_long_type_with_charssuper_long_type_with_char")
|
||||
xhr :post, :create, file: logo, type: "super \# long \//\\ type with \\. $%^&*( chars" * 5
|
||||
end
|
||||
|
||||
it 'is successful with an image' do
|
||||
|
|
Loading…
Reference in New Issue
Block a user