FIX: Cooking custom emojis should not use a secure URL (#15929)

When a site has secure media enabled and a post is with secure media, we were incorrectly cooking custom emoji URLs and using the secure URL for those emojis, even though they should not be considered secure (their corresponding upload records in the database are _not_ secure). Now instead of the blanket post.with_secure_media? boolean for the secure: param, we also want to make sure the image whose URL is being cooked is also _not_ a custom emoji.
2024-11-25 09:42:07 +08:00 · 2022-02-14 13:02:42 +10:00 · 2022-02-14 13:02:42 +10:00 · 88a8584348
commit 88a8584348
parent a34075d205
2 changed files with 24 additions and 1 deletions
--- a/lib/cooked_post_processor.rb
+++ b/lib/cooked_post_processor.rb
@ -415,7 +415,10 @@ class CookedPostProcessor

    %w{src data-small-upload}.each do |selector|
      @doc.css("img[#{selector}]").each do |img|
-        img[selector] = UrlHelper.cook_url(img[selector].to_s, secure: @post.with_secure_media?)
+        custom_emoji = img["class"]&.include?("emoji-custom") && Emoji.custom?(img["title"])
+        img[selector] = UrlHelper.cook_url(
+          img[selector].to_s, secure: @post.with_secure_media? && !custom_emoji
+        )
      end
    end
  end
--- a/spec/components/cooked_post_processor_spec.rb
+++ b/spec/components/cooked_post_processor_spec.rb
@ -1359,6 +1359,26 @@ describe CookedPostProcessor do
          HTML
        end

+        it "doesn't use the secure media URL for custom emoji" do
+          CustomEmoji.create!(name: 'trout', upload: upload)
+          Emoji.clear_cache
+          Emoji.load_custom
+          stored_path = Discourse.store.get_path_for_upload(upload)
+          upload.update_column(:url, "#{SiteSetting.Upload.absolute_base_url}/#{stored_path}")
+          upload.update_column(:secure, true)
+
+          the_post = Fabricate(:post, raw: "This post has a custom emoji :trout:")
+          the_post.cook(the_post.raw)
+
+          cpp = CookedPostProcessor.new(the_post)
+          cpp.optimize_urls
+
+          upload_url = upload.url.gsub(SiteSetting.Upload.absolute_base_url, "https://s3.cdn.com")
+          expect(cpp.html).to match_html <<~HTML
+            <p>This post has a custom emoji <img src="#{upload_url}?v=#{Emoji::EMOJI_VERSION}" title=":trout:" class="emoji emoji-custom" alt=":trout:" loading="lazy" width="20" height="20"></p>
+          HTML
+        end
+
        context "media uploads" do
          fab!(:image_upload) { Fabricate(:upload) }
          fab!(:audio_upload) { Fabricate(:upload, extension: "ogg") }