mirror of
https://github.com/discourse/discourse.git
synced 2025-01-22 18:16:35 +08:00
DEV: Respond with error 400 to uploads requested via XHR
follow-up to 13f38055
This commit is contained in:
parent
467e03a2ec
commit
5b91182985
|
@ -70,7 +70,7 @@ class UploadsController < ApplicationController
|
||||||
|
|
||||||
def show
|
def show
|
||||||
# do not serve uploads requested via XHR to prevent XSS
|
# do not serve uploads requested via XHR to prevent XSS
|
||||||
return render_404 if request.xhr?
|
return xhr_not_allowed if request.xhr?
|
||||||
|
|
||||||
return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
|
return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
|
||||||
|
|
||||||
|
@ -92,7 +92,7 @@ class UploadsController < ApplicationController
|
||||||
|
|
||||||
def show_short
|
def show_short
|
||||||
# do not serve uploads requested via XHR to prevent XSS
|
# do not serve uploads requested via XHR to prevent XSS
|
||||||
return render_404 if request.xhr?
|
return xhr_not_allowed if request.xhr?
|
||||||
|
|
||||||
if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
|
if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
|
||||||
return render_404
|
return render_404
|
||||||
|
@ -126,6 +126,10 @@ class UploadsController < ApplicationController
|
||||||
|
|
||||||
protected
|
protected
|
||||||
|
|
||||||
|
def xhr_not_allowed
|
||||||
|
raise Discourse::InvalidParameters.new("XHR not allowed")
|
||||||
|
end
|
||||||
|
|
||||||
def render_404
|
def render_404
|
||||||
raise Discourse::NotFound
|
raise Discourse::NotFound
|
||||||
end
|
end
|
||||||
|
|
|
@ -5,14 +5,7 @@ acceptance("User", { loggedIn: true });
|
||||||
QUnit.test("Invalid usernames", async assert => {
|
QUnit.test("Invalid usernames", async assert => {
|
||||||
// prettier-ignore
|
// prettier-ignore
|
||||||
server.get("/u/eviltrout%2F..%2F..%2F.json", () => { // eslint-disable-line no-undef
|
server.get("/u/eviltrout%2F..%2F..%2F.json", () => { // eslint-disable-line no-undef
|
||||||
return [
|
return [400, { "Content-Type": "application/json" }, {}];
|
||||||
404,
|
|
||||||
{ "Content-Type": "application/json" },
|
|
||||||
{
|
|
||||||
errors: ["The requested URL or resource could not be found."],
|
|
||||||
error_type: "not_found"
|
|
||||||
}
|
|
||||||
];
|
|
||||||
});
|
});
|
||||||
|
|
||||||
await visit("/u/eviltrout%2F..%2F..%2F/summary");
|
await visit("/u/eviltrout%2F..%2F..%2F/summary");
|
||||||
|
|
Loading…
Reference in New Issue
Block a user