Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Ensure site setting being updated is a configurable site setting (#21131)

This commit is contained in:
Ted Johansson 2023-04-18 14:32:18 +08:00 committed by GitHub
parent 180e3e11d1
commit 437b73e322
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/admin/site_settings_controller.rb
View File

@ -38,7 +38,7 @@ class Admin::SiteSettingsController < Admin::AdminController
value = Upload.get_from_url(value) || "" if SiteSetting.type_supervisor.get_type(id) == :upload value = Upload.get_from_url(value) || "" if SiteSetting.type_supervisor.get_type(id) == :upload
update_existing_users = params[:update_existing_user].present? update_existing_users = params[:update_existing_user].present?
previous_value = value_or_default(SiteSetting.public_send(id)) if update_existing_users previous_value = value_or_default(SiteSetting.get(id)) if update_existing_users
SiteSetting.set_and_log(id, value, current_user) SiteSetting.set_and_log(id, value, current_user)

1
config/locales/server.en.yml
View File

@ -204,6 +204,7 @@ en:
embed: embed:
load_from_remote: "There was an error loading that post." load_from_remote: "There was an error loading that post."
site_settings: site_settings:
invalid_site_setting: "No setting named '%{name}' exists"
invalid_category_id: "You specified a category that does not exist" invalid_category_id: "You specified a category that does not exist"
invalid_choice: invalid_choice:
one: "You specified the invalid choice %{name}" one: "You specified the invalid choice %{name}"

8
lib/site_setting_extension.rb
View File

@ -433,7 +433,9 @@ module SiteSettingExtension
value = prev_value = "[FILTERED]" if secret_settings.include?(name.to_sym) value = prev_value = "[FILTERED]" if secret_settings.include?(name.to_sym)
StaffActionLogger.new(user).log_site_setting_change(name, prev_value, value) StaffActionLogger.new(user).log_site_setting_change(name, prev_value, value)
else else
raise Discourse::InvalidParameters.new("No setting named '#{name}' exists") raise Discourse::InvalidParameters.new(
I18n.t("errors.site_settings.invalid_site_setting", name: name),
)
end end
end end
@ -441,7 +443,9 @@ module SiteSettingExtension
if has_setting?(name) if has_setting?(name)
self.public_send(name) self.public_send(name)
else else
raise Discourse::InvalidParameters.new("No setting named '#{name}' exists") raise Discourse::InvalidParameters.new(
I18n.t("errors.site_settings.invalid_site_setting", name: name),
)
end end
end end

13
spec/requests/admin/site_settings_controller_spec.rb
View File

@ -253,6 +253,19 @@ RSpec.describe Admin::SiteSettingsController do
expect(SiteSetting.search_tokenize_chinese).to eq(true) expect(SiteSetting.search_tokenize_chinese).to eq(true)
end end
it "throws an error when the parameter is not a configurable site setting" do
put "/admin/site_settings/clear_cache!.json",
params: {
clear_cache!: "",
update_existing_user: true,
}
expect(response.status).to eq(422)
expect(response.parsed_body["errors"]).to contain_exactly(
"No setting named 'clear_cache!' exists",
)
end
it "throws an error when trying to change a deprecated setting with override = false" do it "throws an error when trying to change a deprecated setting with override = false" do
SiteSetting.personal_message_enabled_groups = Group::AUTO_GROUPS[:trust_level_4] SiteSetting.personal_message_enabled_groups = Group::AUTO_GROUPS[:trust_level_4]
put "/admin/site_settings/enable_personal_messages.json", put "/admin/site_settings/enable_personal_messages.json",