mirror of
https://github.com/discourse/discourse.git
synced 2024-12-03 06:23:52 +08:00
SECURITY: Check the length of raw post body (#19734)
Co-authored-by: Jarek Radosz <jradosz@gmail.com>
This commit is contained in:
parent
66ab2d71ff
commit
b9e2e997f4
|
@ -2,12 +2,16 @@
|
|||
|
||||
class StrippedLengthValidator < ActiveModel::EachValidator
|
||||
def self.validate(record, attribute, value, range)
|
||||
if !value.nil?
|
||||
value = get_sanitized_value(value)
|
||||
record.errors.add attribute, (I18n.t('errors.messages.too_short', count: range.begin)) if value.length < range.begin
|
||||
record.errors.add attribute, (I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)) if value.length > range.end
|
||||
if value.nil?
|
||||
record.errors.add attribute, I18n.t('errors.messages.blank')
|
||||
elsif value.length > range.end
|
||||
record.errors.add attribute, I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)
|
||||
else
|
||||
record.errors.add attribute, (I18n.t('errors.messages.blank'))
|
||||
value = get_sanitized_value(value)
|
||||
|
||||
if value.length < range.begin
|
||||
record.errors.add attribute, I18n.t('errors.messages.too_short', count: range.begin)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -975,6 +975,20 @@ describe PostsController do
|
|||
parsed = response.parsed_body
|
||||
expect(parsed["action"]).not_to eq("enqueued")
|
||||
end
|
||||
|
||||
it "doesn't enqueue replies when the post is too long (including a html comment)" do
|
||||
SiteSetting.max_post_length = 10
|
||||
raw = "A post <!-- " + ("a" * 3000) + "-->"
|
||||
|
||||
post "/posts.json", params: {
|
||||
raw: raw,
|
||||
title: "this is the test title for the topic"
|
||||
}
|
||||
|
||||
expect(response).not_to be_successful
|
||||
parsed = response.parsed_body
|
||||
expect(parsed["action"]).not_to eq("enqueued")
|
||||
end
|
||||
end
|
||||
|
||||
it 'silences correctly based on auto_silence_first_post_regex' do
|
||||
|
|
Loading…
Reference in New Issue
Block a user