mirror of
https://github.com/discourse/discourse.git
synced 2025-01-19 06:32:45 +08:00
SECURITY: limit route access when using external avatars
This commit is contained in:
parent
c8081af728
commit
f319923753
|
@ -21,8 +21,11 @@ class UserAvatarsController < ApplicationController
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# mainly used in development for backwards compat
|
|
||||||
def show_proxy_letter
|
def show_proxy_letter
|
||||||
|
if SiteSetting.external_system_avatars_url !~ /^\/letter_avatar_proxy/
|
||||||
|
raise Discourse::NotFound
|
||||||
|
end
|
||||||
|
|
||||||
params.require(:letter)
|
params.require(:letter)
|
||||||
params.require(:color)
|
params.require(:color)
|
||||||
params.require(:version)
|
params.require(:version)
|
||||||
|
|
|
@ -2,6 +2,19 @@ require 'rails_helper'
|
||||||
|
|
||||||
describe UserAvatarsController do
|
describe UserAvatarsController do
|
||||||
|
|
||||||
|
context 'show_proxy_letter' do
|
||||||
|
it 'returns not found if external avatar is set somewhere else' do
|
||||||
|
SiteSetting.external_system_avatars_url = "https://somewhere.else.com/avatar.png"
|
||||||
|
response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20
|
||||||
|
expect(response.status).to eq(404)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns an avatar if we are allowing the proxy' do
|
||||||
|
response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'show' do
|
context 'show' do
|
||||||
it 'handles non local content correctly' do
|
it 'handles non local content correctly' do
|
||||||
SiteSetting.avatar_sizes = "100|49"
|
SiteSetting.avatar_sizes = "100|49"
|
||||||
|
|
Loading…
Reference in New Issue
Block a user