From 4e07bbfbbf02ea65682ca4b39e6b6a95a10c2caf Mon Sep 17 00:00:00 2001 From: Guo Xiang Tan Date: Mon, 2 Oct 2017 10:45:54 +0800 Subject: [PATCH] FIX: Only allow intergers for page params. --- app/controllers/list_controller.rb | 2 ++ spec/requests/list_controller_spec.rb | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/app/controllers/list_controller.rb b/app/controllers/list_controller.rb index 1a77a589e40..02b3cdd3e56 100644 --- a/app/controllers/list_controller.rb +++ b/app/controllers/list_controller.rb @@ -331,6 +331,8 @@ class ListController < ApplicationController def build_topic_list_options options = {} + params[:page] = params[:page].to_i rescue 1 + TopicQuery.public_valid_options.each do |key| options[key] = params[key] end diff --git a/spec/requests/list_controller_spec.rb b/spec/requests/list_controller_spec.rb index cec635654e6..9a0d21a5c95 100644 --- a/spec/requests/list_controller_spec.rb +++ b/spec/requests/list_controller_spec.rb @@ -3,6 +3,18 @@ require 'rails_helper' RSpec.describe ListController do let(:topic) { Fabricate(:topic) } + describe '#index' do + it "doesn't throw an error with a negative page" do + get "/#{Discourse.anonymous_filters[1]}", params: { page: -1024 } + expect(response).to be_success + end + + it "doesn't throw an error with page params as an array" do + get "/#{Discourse.anonymous_filters[1]}", params: { page: ['7'] } + expect(response).to be_success + end + end + describe 'titles for crawler layout' do it 'has no title for the default URL' do topic