Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: fix reflected XSS with safe_mode param 

(only applies to beta and master)
This commit is contained in:
Sam 2016-12-19 10:11:51 +11:00
parent 81956cb1d6
commit 30e0154e5d
2 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
app/helpers/application_helper.rb
View File

@ -241,19 +241,35 @@ module ApplicationHelper
MobileDetection.mobile_device?(request.user_agent)
end
NO_CUSTOM = "no_custom".freeze
NO_PLUGINS = "no_plugins".freeze
ONLY_OFFICIAL = "only_official".freeze
SAFE_MODE = "safe_mode".freeze
def customization_disabled?
safe_mode = params["safe_mode"]
session[:disable_customization] || (safe_mode && safe_mode.include?("no_custom"))
safe_mode = params[SAFE_MODE]
session[:disable_customization] || (safe_mode && safe_mode.include?(NO_CUSTOM))
end
def allow_plugins?
safe_mode = params["safe_mode"]
!(safe_mode && safe_mode.include?("no_plugins"))
safe_mode = params[SAFE_MODE]
!(safe_mode && safe_mode.include?(NO_PLUGINS))
end
def allow_third_party_plugins?
safe_mode = params["safe_mode"]
!(safe_mode && (safe_mode.include?("no_plugins") || safe_mode.include?("only_official")))
safe_mode = params[SAFE_MODE]
!(safe_mode && (safe_mode.include?(NO_PLUGINS) || safe_mode.include?(ONLY_OFFICIAL)))
end
def normalized_safe_mode
mode_string = params["safe_mode"]
safe_mode = nil
(safe_mode ||= []) << NO_CUSTOM if mode_string.include?(NO_CUSTOM)
(safe_mode ||= []) << NO_PLUGINS if mode_string.include?(NO_PLUGINS)
(safe_mode ||= []) << ONLY_OFFICIAL if mode_string.include?(ONLY_OFFICIAL)
if safe_mode
safe_mode.join(",").html_safe
end
end
def loading_admin?

2
app/views/common/_discourse_javascript.html.erb
View File

@ -53,7 +53,7 @@
Discourse.set('assetVersion','<%= Discourse.assets_digest %>');
Discourse.Session.currentProp("disableCustomCSS", <%= loading_admin? %>);
<%- if params["safe_mode"] %>
Discourse.Session.currentProp("safe_mode", <%= params["safe_mode"].inspect.html_safe %>);
Discourse.Session.currentProp("safe_mode", <%= normalized_safe_mode.inspect.html_safe %>);
<%- end %>
Discourse.HighlightJSPath = <%= HighlightJs.path.inspect.html_safe %>;
<%- if SiteSetting.enable_s3_uploads %>