SECURITY: Ensure site setting being updated is a configurable site setting (#21132)

This commit is contained in:
Ted Johansson 2023-04-18 14:32:21 +08:00 committed by GitHub
parent bd301c3f08
commit bbc7746cef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 3 deletions

View File

@ -38,7 +38,7 @@ class Admin::SiteSettingsController < Admin::AdminController
value = Upload.get_from_url(value) || "" if SiteSetting.type_supervisor.get_type(id) == :upload
update_existing_users = params[:update_existing_user].present?
previous_value = value_or_default(SiteSetting.public_send(id)) if update_existing_users
previous_value = value_or_default(SiteSetting.get(id)) if update_existing_users
SiteSetting.set_and_log(id, value, current_user)

View File

@ -198,6 +198,7 @@ en:
embed:
load_from_remote: "There was an error loading that post."
site_settings:
invalid_site_setting: "No setting named '%{name}' exists"
invalid_category_id: "You specified a category that does not exist"
invalid_choice:
one: "You specified the invalid choice %{name}"

View File

@ -438,7 +438,9 @@ module SiteSettingExtension
value = prev_value = "[FILTERED]" if secret_settings.include?(name.to_sym)
StaffActionLogger.new(user).log_site_setting_change(name, prev_value, value)
else
raise Discourse::InvalidParameters.new("No setting named '#{name}' exists")
raise Discourse::InvalidParameters.new(
I18n.t("errors.site_settings.invalid_site_setting", name: name),
)
end
end
@ -446,7 +448,9 @@ module SiteSettingExtension
if has_setting?(name)
self.public_send(name)
else
raise Discourse::InvalidParameters.new("No setting named '#{name}' exists")
raise Discourse::InvalidParameters.new(
I18n.t("errors.site_settings.invalid_site_setting", name: name),
)
end
end

View File

@ -253,6 +253,19 @@ RSpec.describe Admin::SiteSettingsController do
expect(SiteSetting.search_tokenize_chinese).to eq(true)
end
it "throws an error when the parameter is not a configurable site setting" do
put "/admin/site_settings/clear_cache!.json",
params: {
clear_cache!: "",
update_existing_user: true,
}
expect(response.status).to eq(422)
expect(response.parsed_body["errors"]).to contain_exactly(
"No setting named 'clear_cache!' exists",
)
end
it "throws an error when trying to change a deprecated setting with override = false" do
SiteSetting.personal_message_enabled_groups = Group::AUTO_GROUPS[:trust_level_4]
put "/admin/site_settings/enable_personal_messages.json",