From 0013a23dc1a4a8e79687ac41129313f098c92150 Mon Sep 17 00:00:00 2001
From: Sam Saffron <sam.saffron@gmail.com>
Date: Mon, 10 Apr 2017 08:01:25 -0400
Subject: [PATCH] SECURITY: prefer render plain/html to render text where
 possible

---
 app/controllers/admin/diagnostics_controller.rb | 8 ++++----
 app/controllers/admin/email_controller.rb       | 2 +-
 app/controllers/application_controller.rb       | 4 ++--
 app/controllers/exceptions_controller.rb        | 2 +-
 app/controllers/forums_controller.rb            | 4 ++--
 app/controllers/onebox_controller.rb            | 4 ++--
 app/controllers/posts_controller.rb             | 4 ++--
 app/controllers/session_controller.rb           | 2 +-
 app/controllers/static_controller.rb            | 4 ++--
 9 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/app/controllers/admin/diagnostics_controller.rb b/app/controllers/admin/diagnostics_controller.rb
index 161963519ee..ba889837a34 100644
--- a/app/controllers/admin/diagnostics_controller.rb
+++ b/app/controllers/admin/diagnostics_controller.rb
@@ -14,7 +14,7 @@ class Admin::DiagnosticsController < Admin::AdminController
 
     text << "\n\nCOUNT #{statements.count}"
 
-    render text: text, content_type: Mime::TEXT
+    render plain: text
   end
 
   def memory_stats
@@ -33,7 +33,7 @@ class Admin::DiagnosticsController < Admin::AdminController
       text = MemoryDiagnostics.memory_report(class_report: params.key?(:full))
     end
 
-    render text: text, content_type: Mime::TEXT
+    render plain: text
   end
 
   def dump_heap
@@ -46,9 +46,9 @@ class Admin::DiagnosticsController < Admin::AdminController
       ObjectSpace.dump_all(:output => io)
       io.close
 
-      render text: "HEAP DUMP:\n#{io.path}", content_type: Mime::TEXT
+      render plain: "HEAP DUMP:\n#{io.path}"
     rescue
-      render text: "HEAP DUMP:\nnot supported", content_type: Mime::TEXT
+      render plain: "HEAP DUMP:\nnot supported"
     end
   end
 
diff --git a/app/controllers/admin/email_controller.rb b/app/controllers/admin/email_controller.rb
index 416e0c1b940..74ce0901ec1 100644
--- a/app/controllers/admin/email_controller.rb
+++ b/app/controllers/admin/email_controller.rb
@@ -85,7 +85,7 @@ class Admin::EmailController < Admin::AdminController
   def handle_mail
     params.require(:email)
     Email::Processor.process!(params[:email])
-    render text: "email was processed"
+    render plain: "email was processed"
   end
 
   def raw_email
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2c390732086..d7a37a3a456 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -29,7 +29,7 @@ class ApplicationController < ActionController::Base
     unless is_api? || is_user_api?
       super
       clear_current_user
-      render text: "[\"BAD CSRF\"]", status: 403
+      render plain: "[\"BAD CSRF\"]", status: 403
     end
   end
 
@@ -159,7 +159,7 @@ class ApplicationController < ActionController::Base
 
       render_json_error I18n.t(type), type: type, status: status_code
     else
-      render text: build_not_found_page(status_code, include_ember ? 'application' : 'no_ember')
+      render html: build_not_found_page(status_code, include_ember ? 'application' : 'no_ember')
     end
   end
 
diff --git a/app/controllers/exceptions_controller.rb b/app/controllers/exceptions_controller.rb
index d04c4214d22..d5f21f8cb67 100644
--- a/app/controllers/exceptions_controller.rb
+++ b/app/controllers/exceptions_controller.rb
@@ -14,7 +14,7 @@ class ExceptionsController < ApplicationController
     # Don't show google search if it's embedded in the Ember app
     @hide_google = true
 
-    render text: build_not_found_page(200, false)
+    render html: build_not_found_page(200, false)
   end
 
 end
diff --git a/app/controllers/forums_controller.rb b/app/controllers/forums_controller.rb
index d0c6969e281..879fb27da78 100644
--- a/app/controllers/forums_controller.rb
+++ b/app/controllers/forums_controller.rb
@@ -6,9 +6,9 @@ class ForumsController < ApplicationController
 
   def status
     if $shutdown
-      render text: 'shutting down', status: 500, content_type: 'text/plain'
+      render plain: 'shutting down', status: 500
     else
-      render text: 'ok', content_type: 'text/plain'
+      render plain: 'ok'
     end
   end
 
diff --git a/app/controllers/onebox_controller.rb b/app/controllers/onebox_controller.rb
index 9b09a0f3b87..c4e4fa47f46 100644
--- a/app/controllers/onebox_controller.rb
+++ b/app/controllers/onebox_controller.rb
@@ -9,7 +9,7 @@ class OneboxController < ApplicationController
     preview = Oneboxer.cached_preview(params[:url])
     preview.strip! if preview.present?
 
-    return render(text: preview) if preview.present?
+    return render(plain: preview) if preview.present?
 
     # only 1 outgoing preview per user
     return render(nothing: true, status: 429) if Oneboxer.is_previewing?(params[:user_id])
@@ -26,7 +26,7 @@ class OneboxController < ApplicationController
     if preview.blank?
       render nothing: true, status: 404
     else
-      render text: preview
+      render plain: preview
     end
   end
 
diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
index 8531c42e92c..9feab0fe827 100644
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -19,7 +19,7 @@ class PostsController < ApplicationController
   def markdown_num
     if params[:revision].present?
       post_revision = find_post_revision_from_topic_id
-      render text: post_revision.modifications[:raw].last, content_type: 'text/plain'
+      render plain: post_revision.modifications[:raw].last
     else
       markdown Post.find_by(topic_id: params[:topic_id].to_i, post_number: (params[:post_number] || 1).to_i)
     end
@@ -27,7 +27,7 @@ class PostsController < ApplicationController
 
   def markdown(post)
     if post && guardian.can_see?(post)
-      render text: post.raw, content_type: 'text/plain'
+      render plain: post.raw
     else
       raise Discourse::NotFound
     end
diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index b915c1401a6..49e7639974f 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -48,7 +48,7 @@ class SessionController < ApplicationController
         sso.moderator = current_user.moderator?
 
         if sso.return_sso_url.blank?
-          render text: "return_sso_url is blank, it must be provided", status: 400
+          render plain: "return_sso_url is blank, it must be provided", status: 400
           return
         end
 
diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb
index 2f12fe6d360..de2988d8a39 100644
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@@ -43,7 +43,7 @@ class StaticController < ApplicationController
     end
 
     if I18n.exists?("static.#{@page}")
-      render text: I18n.t("static.#{@page}"), layout: !request.xhr?, formats: [:html]
+      render html: I18n.t("static.#{@page}"), layout: !request.xhr?, formats: [:html]
       return
     end
 
@@ -163,7 +163,7 @@ class StaticController < ApplicationController
       rescue Errno::ENOENT
         expires_in 1.second, public: true, must_revalidate: false
 
-        render text: "can not find #{params[:path]}", status: 404
+        render plain: "can not find #{params[:path]}", status: 404
         return
       end
     end