SECURITY: don't onebox whispers

This commit is contained in:
Sam 2018-02-16 08:56:13 +11:00
parent 32ad98161f
commit cda3f72ab8
2 changed files with 31 additions and 20 deletions

View File

@ -170,16 +170,26 @@ module Oneboxer
return unless Guardian.new(current_user).can_see_category?(current_category)
end
if route[:post_number].to_i > 1
post = Post.find_by(topic_id: route[:topic_id], post_number: route[:post_number])
topic = Topic.find_by(id: route[:topic_id])
return if !post || post.hidden || post.topic.private_message?
return unless topic
return if topic.private_message?
if current_category&.id != post.topic.category_id
return if !Guardian.new.can_see_post?(post)
if current_category&.id != topic.category_id
return unless Guardian.new.can_see_topic?(topic)
end
topic = post.topic
post = nil
post_number = route[:post_number].to_i
if post_number > 1
post = topic.posts.where(post_number: route[:post_number].to_i).first
else
post = topic.ordered_posts.first
end
return if !post || post.hidden || post.post_type != Post.types[:regular]
if route[:post_number].to_i > 1
excerpt = post.excerpt(SiteSetting.post_onebox_maxlength)
excerpt.gsub!(/[\r\n]+/, " ")
excerpt.gsub!("[/quote]", "[quote]") # don't break my quote
@ -188,23 +198,13 @@ module Oneboxer
PrettyText.cook(quote)
else
topic = Topic.find_by(id: route[:topic_id])
return if !topic || topic.private_message?
if current_category&.id != topic.category_id
return if !Guardian.new.can_see_topic?(topic)
end
first_post = topic.ordered_posts.first
args = {
topic_id: topic.id,
avatar: PrettyText.avatar_img(topic.user.avatar_template, "tiny"),
original_url: url,
title: PrettyText.unescape_emoji(CGI::escapeHTML(topic.title)),
category_html: CategoryBadge.html_for(topic.category),
quote: first_post.excerpt(SiteSetting.post_onebox_maxlength),
quote: post.excerpt(SiteSetting.post_onebox_maxlength),
}
template = File.read("#{Rails.root}/lib/onebox/templates/discourse_topic_onebox.hbs")

View File

@ -139,6 +139,17 @@ describe OneboxController do
expect(response.body).not_to include('blockquote')
end
it 'does not allow whisper onebox' do
log_in
post = create_post
whisper = create_post(topic_id: post.topic_id, post_type: Post.types[:whisper])
url = Discourse.base_url + whisper.url
get :show, params: { url: url }, format: :json
expect(response.body).not_to include('blockquote')
end
it 'allows onebox to public topics/posts in PM' do
log_in