From f319923753211206aad84563cf22e7cdfa544a27 Mon Sep 17 00:00:00 2001 From: Sam Date: Thu, 28 Jul 2016 08:59:58 +1000 Subject: [PATCH] SECURITY: limit route access when using external avatars --- app/controllers/user_avatars_controller.rb | 5 ++++- spec/controllers/user_avatars_controller_spec.rb | 13 +++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/app/controllers/user_avatars_controller.rb b/app/controllers/user_avatars_controller.rb index a3469105438..5b67747cff5 100644 --- a/app/controllers/user_avatars_controller.rb +++ b/app/controllers/user_avatars_controller.rb @@ -21,8 +21,11 @@ class UserAvatarsController < ApplicationController end end - # mainly used in development for backwards compat def show_proxy_letter + if SiteSetting.external_system_avatars_url !~ /^\/letter_avatar_proxy/ + raise Discourse::NotFound + end + params.require(:letter) params.require(:color) params.require(:version) diff --git a/spec/controllers/user_avatars_controller_spec.rb b/spec/controllers/user_avatars_controller_spec.rb index 92630ddb877..55a3272da8e 100644 --- a/spec/controllers/user_avatars_controller_spec.rb +++ b/spec/controllers/user_avatars_controller_spec.rb @@ -2,6 +2,19 @@ require 'rails_helper' describe UserAvatarsController do + context 'show_proxy_letter' do + it 'returns not found if external avatar is set somewhere else' do + SiteSetting.external_system_avatars_url = "https://somewhere.else.com/avatar.png" + response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20 + expect(response.status).to eq(404) + end + + it 'returns an avatar if we are allowing the proxy' do + response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20 + expect(response.status).to eq(200) + end + end + context 'show' do it 'handles non local content correctly' do SiteSetting.avatar_sizes = "100|49"