SECURITY: Check the length of raw post body (#19733)
Co-authored-by: Jarek Radosz <jradosz@gmail.com>
This commit is contained in:
parent
692329896a
commit
bf6b08670a
|
@ -2,12 +2,16 @@
|
||||||
|
|
||||||
class StrippedLengthValidator < ActiveModel::EachValidator
|
class StrippedLengthValidator < ActiveModel::EachValidator
|
||||||
def self.validate(record, attribute, value, range)
|
def self.validate(record, attribute, value, range)
|
||||||
if !value.nil?
|
if value.nil?
|
||||||
value = get_sanitized_value(value)
|
record.errors.add attribute, I18n.t('errors.messages.blank')
|
||||||
record.errors.add attribute, (I18n.t('errors.messages.too_short', count: range.begin)) if value.length < range.begin
|
elsif value.length > range.end
|
||||||
record.errors.add attribute, (I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)) if value.length > range.end
|
record.errors.add attribute, I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)
|
||||||
else
|
else
|
||||||
record.errors.add attribute, (I18n.t('errors.messages.blank'))
|
value = get_sanitized_value(value)
|
||||||
|
|
||||||
|
if value.length < range.begin
|
||||||
|
record.errors.add attribute, I18n.t('errors.messages.too_short', count: range.begin)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1050,6 +1050,20 @@ RSpec.describe PostsController do
|
||||||
parsed = response.parsed_body
|
parsed = response.parsed_body
|
||||||
expect(parsed["action"]).not_to eq("enqueued")
|
expect(parsed["action"]).not_to eq("enqueued")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "doesn't enqueue replies when the post is too long (including a html comment)" do
|
||||||
|
SiteSetting.max_post_length = 10
|
||||||
|
raw = "A post <!-- " + ("a" * 3000) + "-->"
|
||||||
|
|
||||||
|
post "/posts.json", params: {
|
||||||
|
raw: raw,
|
||||||
|
title: "this is the test title for the topic"
|
||||||
|
}
|
||||||
|
|
||||||
|
expect(response).not_to be_successful
|
||||||
|
parsed = response.parsed_body
|
||||||
|
expect(parsed["action"]).not_to eq("enqueued")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'silences correctly based on auto_silence_first_post_regex' do
|
it 'silences correctly based on auto_silence_first_post_regex' do
|
||||||
|
|
Loading…
Reference in New Issue