mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 15:06:26 +08:00
DEV: Respond with error 400 to uploads requested via XHR
follow-up to 13f38055
This commit is contained in:
parent
df9b295510
commit
fe870a1e54
|
@ -70,7 +70,7 @@ class UploadsController < ApplicationController
|
|||
|
||||
def show
|
||||
# do not serve uploads requested via XHR to prevent XSS
|
||||
return render_404 if request.xhr?
|
||||
return xhr_not_allowed if request.xhr?
|
||||
|
||||
return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
|
||||
|
||||
|
@ -92,7 +92,7 @@ class UploadsController < ApplicationController
|
|||
|
||||
def show_short
|
||||
# do not serve uploads requested via XHR to prevent XSS
|
||||
return render_404 if request.xhr?
|
||||
return xhr_not_allowed if request.xhr?
|
||||
|
||||
if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
|
||||
return render_404
|
||||
|
@ -126,6 +126,10 @@ class UploadsController < ApplicationController
|
|||
|
||||
protected
|
||||
|
||||
def xhr_not_allowed
|
||||
raise Discourse::InvalidParameters.new("XHR not allowed")
|
||||
end
|
||||
|
||||
def render_404
|
||||
raise Discourse::NotFound
|
||||
end
|
||||
|
|
|
@ -5,14 +5,7 @@ acceptance("User", { loggedIn: true });
|
|||
QUnit.test("Invalid usernames", async assert => {
|
||||
// prettier-ignore
|
||||
server.get("/u/eviltrout%2F..%2F..%2F.json", () => { // eslint-disable-line no-undef
|
||||
return [
|
||||
404,
|
||||
{ "Content-Type": "application/json" },
|
||||
{
|
||||
errors: ["The requested URL or resource could not be found."],
|
||||
error_type: "not_found"
|
||||
}
|
||||
];
|
||||
return [400, { "Content-Type": "application/json" }, {}];
|
||||
});
|
||||
|
||||
await visit("/u/eviltrout%2F..%2F..%2F/summary");
|
||||
|
|
Loading…
Reference in New Issue
Block a user