mirror of
https://github.com/discourse/discourse.git
synced 2024-12-13 12:03:45 +08:00
SECURITY: 413 for GET, HEAD or DELETE requests with payload.
This commit is contained in:
parent
3260865697
commit
4342d08edd
|
@ -297,7 +297,15 @@ module Middleware
|
|||
@app = app
|
||||
end
|
||||
|
||||
PAYLOAD_INVALID_REQUEST_METHODS = ["GET", "DELETE", "HEAD"]
|
||||
|
||||
def call(env)
|
||||
if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
|
||||
env[Rack::RACK_INPUT].size > 0
|
||||
|
||||
return [413, {}, []]
|
||||
end
|
||||
|
||||
helper = Helper.new(env)
|
||||
force_anon = false
|
||||
|
||||
|
|
|
@ -169,6 +169,16 @@ describe Middleware::AnonymousCache do
|
|||
end
|
||||
end
|
||||
|
||||
context 'invalid request payload' do
|
||||
it 'returns 413 for GET request with payload' do
|
||||
status, _, _ = middleware.call(env.tap do |environment|
|
||||
environment[Rack::RACK_INPUT].write("test")
|
||||
end)
|
||||
|
||||
expect(status).to eq(413)
|
||||
end
|
||||
end
|
||||
|
||||
context "crawler blocking" do
|
||||
let :non_crawler do
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue
Block a user