Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: missing security check prior to redirect 

In some rare cases, if a user knows the exact title of a topic
they could possibly determine that it really exists in the system
This commit is contained in:
Sam Saffron 2020-05-27 10:58:22 +10:00
parent 2d534bf2e0
commit 5bfb6830c9
No known key found for this signature in database
GPG Key ID: B9606168D2FFD9F5
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/topics_controller.rb
View File

@ -945,6 +945,8 @@ class TopicsController < ApplicationController
end end
def redirect_to_correct_topic(topic, post_number = nil) def redirect_to_correct_topic(topic, post_number = nil)
guardian.ensure_can_see!(topic)
url = topic.relative_url url = topic.relative_url
url << "/#{post_number}" if post_number.to_i > 0 url << "/#{post_number}" if post_number.to_i > 0
url << ".json" if request.format.json? url << ".json" if request.format.json?

11
spec/requests/topics_controller_spec.rb
View File

@ -1357,6 +1357,17 @@ RSpec.describe TopicsController do
expect(response).to redirect_to(topic.relative_url) expect(response).to redirect_to(topic.relative_url)
end end
it 'will return a 403 if you try to redirect to a topic you have no access to' do
category = Fabricate(:category)
category.set_permissions(Group::AUTO_GROUPS[:staff] => :full)
category.save!
topic.update!(category_id: category.id)
get "/t/#{topic.slug}"
expect(response.status).to eq(403)
end
it 'can find a topic when a slug has a number in front' do it 'can find a topic when a slug has a number in front' do
another_topic = Fabricate(:post).topic another_topic = Fabricate(:post).topic