github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-14 05:58:44 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: 413 for GET, HEAD or DELETE requests with payload.

Browse Source
This commit is contained in:
Guo Xiang Tan 2020-08-03 14:11:17 +08:00
parent 3260865697
commit 4342d08edd
No known key found for this signature in database
GPG Key ID: FBD110179AAC1F20
2 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/middleware/anonymous_cache.rb
View File

@ -297,7 +297,15 @@ module Middleware
@app = app @app = app
end end
PAYLOAD_INVALID_REQUEST_METHODS = ["GET", "DELETE", "HEAD"]
def call(env) def call(env)
if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
env[Rack::RACK_INPUT].size > 0
return [413, {}, []]
end
helper = Helper.new(env) helper = Helper.new(env)
force_anon = false force_anon = false

10
spec/components/middleware/anonymous_cache_spec.rb
View File

@ -169,6 +169,16 @@ describe Middleware::AnonymousCache do
end end
end end
context 'invalid request payload' do
it 'returns 413 for GET request with payload' do
status, _, _ = middleware.call(env.tap do |environment|
environment[Rack::RACK_INPUT].write("test")
end)
expect(status).to eq(413)
end
end
context "crawler blocking" do context "crawler blocking" do
let :non_crawler do let :non_crawler do
{ {