mirror of
https://github.com/discourse/discourse.git
synced 2024-12-14 03:56:32 +08:00
SECURITY: 413 for GET, HEAD or DELETE requests with payload.
This commit is contained in:
parent
3260865697
commit
4342d08edd
|
@ -297,7 +297,15 @@ module Middleware
|
||||||
@app = app
|
@app = app
|
||||||
end
|
end
|
||||||
|
|
||||||
|
PAYLOAD_INVALID_REQUEST_METHODS = ["GET", "DELETE", "HEAD"]
|
||||||
|
|
||||||
def call(env)
|
def call(env)
|
||||||
|
if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
|
||||||
|
env[Rack::RACK_INPUT].size > 0
|
||||||
|
|
||||||
|
return [413, {}, []]
|
||||||
|
end
|
||||||
|
|
||||||
helper = Helper.new(env)
|
helper = Helper.new(env)
|
||||||
force_anon = false
|
force_anon = false
|
||||||
|
|
||||||
|
|
|
@ -169,6 +169,16 @@ describe Middleware::AnonymousCache do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'invalid request payload' do
|
||||||
|
it 'returns 413 for GET request with payload' do
|
||||||
|
status, _, _ = middleware.call(env.tap do |environment|
|
||||||
|
environment[Rack::RACK_INPUT].write("test")
|
||||||
|
end)
|
||||||
|
|
||||||
|
expect(status).to eq(413)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context "crawler blocking" do
|
context "crawler blocking" do
|
||||||
let :non_crawler do
|
let :non_crawler do
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue
Block a user