SECURITY: avoid use of send in favor of public_send

2024-11-26 10:55:54 +08:00 · 2019-05-07 09:41:05 +10:00 · 2019-05-07 09:41:05 +10:00 · c8418595bf
commit c8418595bf
parent e9564c999f
1 changed files with 10 additions and 10 deletions
--- a/lib/site_setting_extension.rb
+++ b/lib/site_setting_extension.rb
@ -137,7 +137,7 @@ module SiteSettingExtension
      end

      if opts[:shadowed_by_global] && GlobalSetting.respond_to?(name)
-        val = GlobalSetting.send(name)
+        val = GlobalSetting.public_send(name)

        unless val.nil? || (val == ''.freeze)
          shadowed_val = val
@ -186,9 +186,9 @@ module SiteSettingExtension
    defaults.all.keys.each do |s|
      result[s] =
        if deprecated_settings.include?(s.to_s)
-          send(s, warn: false).to_s
+          public_send(s, warn: false).to_s
        else
-          send(s).to_s
+          public_send(s).to_s
        end
    end

@ -229,7 +229,7 @@ module SiteSettingExtension
      .reject { |s, _| !include_hidden && hidden_settings.include?(s) }
      .map do |s, v|

-      value = send(s)
+      value = public_send(s)
      type_hash = type_supervisor.type_hash(s)
      default = defaults.get(s, default_locale).to_s

@ -288,7 +288,7 @@ module SiteSettingExtension
      new_hash = defaults_view.merge!(new_hash)

      # add shadowed
-      shadowed_settings.each { |ss| new_hash[ss] = GlobalSetting.send(ss) }
+      shadowed_settings.each { |ss| new_hash[ss] = GlobalSetting.public_send(ss) }

      changes, deletions = diff_hash(new_hash, current)

@ -370,7 +370,7 @@ module SiteSettingExtension
  end

  def notify_clients!(name)
-    MessageBus.publish('/client_settings', name: name, value: self.send(name))
+    MessageBus.publish('/client_settings', name: name, value: self.public_send(name))
  end

  def requires_refresh?(name)
@ -393,7 +393,7 @@ module SiteSettingExtension
  def set(name, value)
    if has_setting?(name)
      value = filter_value(name, value)
-      self.send("#{name}=", value)
+      self.public_send("#{name}=", value)
      Discourse.request_refresh! if requires_refresh?(name)
    else
      raise Discourse::InvalidParameters.new("Either no setting named '#{name}' exists or value provided is invalid")
@ -401,9 +401,9 @@ module SiteSettingExtension
  end

  def set_and_log(name, value, user = Discourse.system_user)
-    prev_value = send(name)
-    set(name, value)
    if has_setting?(name)
+      prev_value = public_send(name)
+      set(name, value)
      value = prev_value = "[FILTERED]" if secret_settings.include?(name.to_sym)
      StaffActionLogger.new(user).log_site_setting_change(name, prev_value, value)
    end
@ -481,7 +481,7 @@ module SiteSettingExtension
    end

    define_singleton_method "#{clean_name}?" do
-      self.send clean_name
+      self.public_send clean_name
    end

    define_singleton_method "#{clean_name}=" do |val|