SECURITY: prefer render plain/html to render text where possible

2017-04-10 08:01:25 -04:00 · 2017-04-10 08:01:25 -04:00 · 0013a23dc1
parent e49f3a408e
commit 0013a23dc1
9 changed files with 17 additions and 17 deletions
--- a/app/controllers/admin/diagnostics_controller.rb
+++ b/app/controllers/admin/diagnostics_controller.rb
@ -14,7 +14,7 @@ class Admin::DiagnosticsController < Admin::AdminController

    text << "\n\nCOUNT #{statements.count}"

-    render text: text, content_type: Mime::TEXT
+    render plain: text
  end

  def memory_stats
@ -33,7 +33,7 @@ class Admin::DiagnosticsController < Admin::AdminController
      text = MemoryDiagnostics.memory_report(class_report: params.key?(:full))
    end

-    render text: text, content_type: Mime::TEXT
+    render plain: text
  end

  def dump_heap
@ -46,9 +46,9 @@ class Admin::DiagnosticsController < Admin::AdminController
      ObjectSpace.dump_all(:output => io)
      io.close

-      render text: "HEAP DUMP:\n#{io.path}", content_type: Mime::TEXT
+      render plain: "HEAP DUMP:\n#{io.path}"
    rescue
-      render text: "HEAP DUMP:\nnot supported", content_type: Mime::TEXT
+      render plain: "HEAP DUMP:\nnot supported"
    end
  end

--- a/app/controllers/admin/email_controller.rb
+++ b/app/controllers/admin/email_controller.rb
@ -85,7 +85,7 @@ class Admin::EmailController < Admin::AdminController
  def handle_mail
    params.require(:email)
    Email::Processor.process!(params[:email])
-    render text: "email was processed"
+    render plain: "email was processed"
  end

  def raw_email
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -29,7 +29,7 @@ class ApplicationController < ActionController::Base
    unless is_api? || is_user_api?
      super
      clear_current_user
-      render text: "[\"BAD CSRF\"]", status: 403
+      render plain: "[\"BAD CSRF\"]", status: 403
    end
  end

@ -159,7 +159,7 @@ class ApplicationController < ActionController::Base

      render_json_error I18n.t(type), type: type, status: status_code
    else
-      render text: build_not_found_page(status_code, include_ember ? 'application' : 'no_ember')
+      render html: build_not_found_page(status_code, include_ember ? 'application' : 'no_ember')
    end
  end

--- a/app/controllers/exceptions_controller.rb
+++ b/app/controllers/exceptions_controller.rb
@ -14,7 +14,7 @@ class ExceptionsController < ApplicationController
    # Don't show google search if it's embedded in the Ember app
    @hide_google = true

-    render text: build_not_found_page(200, false)
+    render html: build_not_found_page(200, false)
  end

 end
--- a/app/controllers/forums_controller.rb
+++ b/app/controllers/forums_controller.rb
@ -6,9 +6,9 @@ class ForumsController < ApplicationController

  def status
    if $shutdown
-      render text: 'shutting down', status: 500, content_type: 'text/plain'
+      render plain: 'shutting down', status: 500
    else
-      render text: 'ok', content_type: 'text/plain'
+      render plain: 'ok'
    end
  end

--- a/app/controllers/onebox_controller.rb
+++ b/app/controllers/onebox_controller.rb
@ -9,7 +9,7 @@ class OneboxController < ApplicationController
    preview = Oneboxer.cached_preview(params[:url])
    preview.strip! if preview.present?

-    return render(text: preview) if preview.present?
+    return render(plain: preview) if preview.present?

    # only 1 outgoing preview per user
    return render(nothing: true, status: 429) if Oneboxer.is_previewing?(params[:user_id])
@ -26,7 +26,7 @@ class OneboxController < ApplicationController
    if preview.blank?
      render nothing: true, status: 404
    else
-      render text: preview
+      render plain: preview
    end
  end

--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -19,7 +19,7 @@ class PostsController < ApplicationController
  def markdown_num
    if params[:revision].present?
      post_revision = find_post_revision_from_topic_id
-      render text: post_revision.modifications[:raw].last, content_type: 'text/plain'
+      render plain: post_revision.modifications[:raw].last
    else
      markdown Post.find_by(topic_id: params[:topic_id].to_i, post_number: (params[:post_number] || 1).to_i)
    end
@ -27,7 +27,7 @@ class PostsController < ApplicationController

  def markdown(post)
    if post && guardian.can_see?(post)
-      render text: post.raw, content_type: 'text/plain'
+      render plain: post.raw
    else
      raise Discourse::NotFound
    end
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -48,7 +48,7 @@ class SessionController < ApplicationController
        sso.moderator = current_user.moderator?

        if sso.return_sso_url.blank?
-          render text: "return_sso_url is blank, it must be provided", status: 400
+          render plain: "return_sso_url is blank, it must be provided", status: 400
          return
        end

--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@ -43,7 +43,7 @@ class StaticController < ApplicationController
    end

    if I18n.exists?("static.#{@page}")
-      render text: I18n.t("static.#{@page}"), layout: !request.xhr?, formats: [:html]
+      render html: I18n.t("static.#{@page}"), layout: !request.xhr?, formats: [:html]
      return
    end

@ -163,7 +163,7 @@ class StaticController < ApplicationController
      rescue Errno::ENOENT
        expires_in 1.second, public: true, must_revalidate: false

-        render text: "can not find #{params[:path]}", status: 404
+        render plain: "can not find #{params[:path]}", status: 404
        return
      end
    end