diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index 4b780b56bfe..f1841a48603 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -70,7 +70,7 @@ class UploadsController < ApplicationController def show # do not serve uploads requested via XHR to prevent XSS - return render_404 if request.xhr? + return xhr_not_allowed if request.xhr? return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site]) @@ -92,7 +92,7 @@ class UploadsController < ApplicationController def show_short # do not serve uploads requested via XHR to prevent XSS - return render_404 if request.xhr? + return xhr_not_allowed if request.xhr? if SiteSetting.prevent_anons_from_downloading_files && current_user.nil? return render_404 @@ -126,6 +126,10 @@ class UploadsController < ApplicationController protected + def xhr_not_allowed + raise Discourse::InvalidParameters.new("XHR not allowed") + end + def render_404 raise Discourse::NotFound end diff --git a/test/javascripts/acceptance/user-test.js.es6 b/test/javascripts/acceptance/user-test.js.es6 index ff93b540910..2f2fc61d089 100644 --- a/test/javascripts/acceptance/user-test.js.es6 +++ b/test/javascripts/acceptance/user-test.js.es6 @@ -5,14 +5,7 @@ acceptance("User", { loggedIn: true }); QUnit.test("Invalid usernames", async assert => { // prettier-ignore server.get("/u/eviltrout%2F..%2F..%2F.json", () => { // eslint-disable-line no-undef - return [ - 404, - { "Content-Type": "application/json" }, - { - errors: ["The requested URL or resource could not be found."], - error_type: "not_found" - } - ]; + return [400, { "Content-Type": "application/json" }, {}]; }); await visit("/u/eviltrout%2F..%2F..%2F/summary");