SECURITY: prefer render plain/html to render text where possible

2025-01-19 05:52:49 +08:00 · 2017-04-10 08:09:55 -04:00 · 2017-04-10 08:09:55 -04:00 · f09ca88c47
commit f09ca88c47
parent e5c6d0ea65
8 changed files with 19 additions and 14 deletions
--- a/app/controllers/admin/diagnostics_controller.rb
+++ b/app/controllers/admin/diagnostics_controller.rb
@ -14,7 +14,7 @@ class Admin::DiagnosticsController < Admin::AdminController

    text << "\n\nCOUNT #{statements.count}"

-    render text: text, content_type: Mime::TEXT
+    render plain: text
  end

  def memory_stats
@ -33,7 +33,7 @@ class Admin::DiagnosticsController < Admin::AdminController
      text = MemoryDiagnostics.memory_report(class_report: params.key?(:full))
    end

-    render text: text, content_type: Mime::TEXT
+    render plain: text
  end

  def dump_heap
@ -46,9 +46,9 @@ class Admin::DiagnosticsController < Admin::AdminController
      ObjectSpace.dump_all(:output => io)
      io.close

-      render text: "HEAP DUMP:\n#{io.path}", content_type: Mime::TEXT
+      render plain: "HEAP DUMP:\n#{io.path}"
    rescue
-      render text: "HEAP DUMP:\nnot supported", content_type: Mime::TEXT
+      render plain: "HEAP DUMP:\nnot supported"
    end
  end

--- a/app/controllers/admin/email_controller.rb
+++ b/app/controllers/admin/email_controller.rb
@ -72,7 +72,7 @@ class Admin::EmailController < Admin::AdminController
  def handle_mail
    params.require(:email)
    Email::Processor.process!(params[:email])
-    render text: "email was processed"
+    render plain: "email was processed"
  end

  def raw_email
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -29,7 +29,7 @@ class ApplicationController < ActionController::Base
    unless is_api? || is_user_api?
      super
      clear_current_user
-      render text: "['BAD CSRF']", status: 403
+      render plain: "[\"BAD CSRF\"]", status: 403
    end
  end

@ -170,7 +170,7 @@ class ApplicationController < ActionController::Base

      render_json_error I18n.t(type), type: type, status: status_code
    else
-      render text: build_not_found_page(status_code, include_ember ? 'application' : 'no_ember')
+      render html: build_not_found_page(status_code, include_ember ? 'application' : 'no_ember')
    end
  end

--- a/app/controllers/exceptions_controller.rb
+++ b/app/controllers/exceptions_controller.rb
@ -14,7 +14,7 @@ class ExceptionsController < ApplicationController
    # Don't show google search if it's embedded in the Ember app
    @hide_google = true

-    render text: build_not_found_page(200, false)
+    render html: build_not_found_page(200, false)
  end

 end
--- a/app/controllers/forums_controller.rb
+++ b/app/controllers/forums_controller.rb
@ -6,9 +6,9 @@ class ForumsController < ApplicationController

  def status
    if $shutdown
-      render text: 'shutting down', status: 500, content_type: 'text/plain'
+      render plain: 'shutting down', status: 500
    else
-      render text: 'ok', content_type: 'text/plain'
+      render plain: 'ok'
    end
  end

--- a/app/controllers/onebox_controller.rb
+++ b/app/controllers/onebox_controller.rb
@ -9,7 +9,7 @@ class OneboxController < ApplicationController
    preview = Oneboxer.cached_preview(params[:url])
    preview.strip! if preview.present?

-    return render(text: preview) if preview.present?
+    return render(plain: preview) if preview.present?

    # only 1 outgoing preview per user
    return render(nothing: true, status: 429) if Oneboxer.is_previewing?(params[:user_id])
@ -26,7 +26,7 @@ class OneboxController < ApplicationController
    if preview.blank?
      render nothing: true, status: 404
    else
-      render text: preview
+      render plain: preview
    end
  end

--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -19,7 +19,7 @@ class PostsController < ApplicationController
  def markdown_num
    if params[:revision].present?
      post_revision = find_post_revision_from_topic_id
-      render text: post_revision.modifications[:raw].last, content_type: 'text/plain'
+      render plain: post_revision.modifications[:raw].last
    else
      markdown Post.find_by(topic_id: params[:topic_id].to_i, post_number: (params[:post_number] || 1).to_i)
    end
@ -27,7 +27,7 @@ class PostsController < ApplicationController

  def markdown(post)
    if post && guardian.can_see?(post)
-      render text: post.raw, content_type: 'text/plain'
+      render plain: post.raw
    else
      raise Discourse::NotFound
    end
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -46,6 +46,11 @@ class SessionController < ApplicationController
        sso.external_id = current_user.id.to_s
        sso.admin = current_user.admin?
        sso.moderator = current_user.moderator?
+        if sso.return_sso_url.blank?
+          render plain: "return_sso_url is blank, it must be provided", status: 400
+          return
+        end
+
        if request.xhr?
          cookies[:sso_destination_url] = sso.to_url(sso.return_sso_url)
        else