From 190558db9d76cff79bc7c9a61ea00515755185d3 Mon Sep 17 00:00:00 2001
From: Guo Xiang Tan <tgx_world@hotmail.com>
Date: Mon, 9 Oct 2017 08:59:03 +0800
Subject: [PATCH] SECURITY: Fix XSS on unsubscribed page.

---
 app/controllers/email_controller.rb    |  1 +
 app/controllers/invites_controller.rb  |  1 +
 app/views/email/unsubscribed.html.erb  |  4 ++--
 spec/requests/email_controller_spec.rb | 13 +++++++++++++
 4 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 spec/requests/email_controller_spec.rb

diff --git a/app/controllers/email_controller.rb b/app/controllers/email_controller.rb
index 600e6ceb3a8..99b70876f79 100644
--- a/app/controllers/email_controller.rb
+++ b/app/controllers/email_controller.rb
@@ -110,6 +110,7 @@ class EmailController < ApplicationController
 
   def unsubscribed
     @email = params[:email]
+    raise Discourse::NotFound if !User.find_by_email(params[:email])
     @topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id]
   end
 
diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb
index 2866ff2dcbf..52fa3633150 100644
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -96,6 +96,7 @@ class InvitesController < ApplicationController
 
     guardian.ensure_can_invite_to_forum!(groups)
     topic = Topic.find_by(id: params[:topic_id])
+    guardian.ensure_can_see_topic?(topic)
     group_ids = groups.map(&:id)
 
     invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first
diff --git a/app/views/email/unsubscribed.html.erb b/app/views/email/unsubscribed.html.erb
index a593bfed31b..835b2c052f0 100644
--- a/app/views/email/unsubscribed.html.erb
+++ b/app/views/email/unsubscribed.html.erb
@@ -3,12 +3,12 @@
   <h2><%=t "unsubscribed.title"%></h2>
   <br>
   <p>
-    <%=t("unsubscribed.description", email: @email, url: path("/my/preferences")).html_safe %>
+    <%= t("unsubscribed.description", email: @email, url: path("/my/preferences")).html_safe %>
   </p>
 
   <% if @topic %>
   <p>
-    <%=t("unsubscribed.topic_description", link: render_topic_title(@topic)).html_safe%>
+    <%= t("unsubscribed.topic_description", link: render_topic_title(@topic)).html_safe%>
   </p>
   <% end %>
 </div>
diff --git a/spec/requests/email_controller_spec.rb b/spec/requests/email_controller_spec.rb
new file mode 100644
index 00000000000..cd059019154
--- /dev/null
+++ b/spec/requests/email_controller_spec.rb
@@ -0,0 +1,13 @@
+require 'rails_helper'
+
+RSpec.describe EmailController do
+  describe '#unsubscribed' do
+    describe 'when email is invalid' do
+      it 'should return the right response' do
+        get '/email/unsubscribed', params: { email: 'somerandomstring' }
+
+        expect(response.status).to eq(404)
+      end
+    end
+  end
+end