SECURITY: limit route access when using external avatars

2016-07-28 08:59:58 +10:00 · 2016-07-28 08:59:58 +10:00 · cb3afd11b4
parent 437ad5b05a
commit cb3afd11b4
2 changed files with 17 additions and 1 deletions
--- a/app/controllers/user_avatars_controller.rb
+++ b/app/controllers/user_avatars_controller.rb
@ -21,8 +21,11 @@ class UserAvatarsController < ApplicationController
    end
  end

-  # mainly used in development for backwards compat
  def show_proxy_letter
+    if SiteSetting.external_system_avatars_url !~ /^\/letter_avatar_proxy/
+      raise Discourse::NotFound
+    end
+
    params.require(:letter)
    params.require(:color)
    params.require(:version)
--- a/spec/controllers/user_avatars_controller_spec.rb
+++ b/spec/controllers/user_avatars_controller_spec.rb
@ -2,6 +2,19 @@ require 'rails_helper'

 describe UserAvatarsController do

+  context 'show_proxy_letter' do
+    it 'returns not found if external avatar is set somewhere else' do
+      SiteSetting.external_system_avatars_url = "https://somewhere.else.com/avatar.png"
+      response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20
+      expect(response.status).to eq(404)
+    end
+
+    it 'returns an avatar if we are allowing the proxy' do
+      response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20
+      expect(response.status).to eq(200)
+    end
+  end
+
  context 'show' do
    it 'handles non local content correctly' do
      SiteSetting.avatar_sizes = "100|49"