Add DoS protection to action

This commit is contained in:
Sam 2014-05-27 22:29:27 +10:00
parent ce6c25afed
commit 18bdc4e63e
2 changed files with 13 additions and 5 deletions

View file

@ -420,7 +420,7 @@ Discourse.User.reopenClass(Discourse.Singleton, {
if(Discourse.CDN){
url = Discourse.CDN + url;
}
return "DISABLED" + url;
return url;
},
/**

View file

@ -1,6 +1,8 @@
require_dependency 'letter_avatar'
class UserAvatarsController < ApplicationController
DOT = Base64.decode64("R0lGODlhAQABALMAAAAAAIAAAACAAICAAAAAgIAAgACAgMDAwICAgP8AAAD/AP//AAAA//8A/wD//wBiZCH5BAEAAA8ALAAAAAABAAEAAAQC8EUAOw==")
skip_before_filter :check_xhr, :verify_authenticity_token, only: :show
def refresh_gravatar
@ -21,17 +23,17 @@ class UserAvatarsController < ApplicationController
def show
username = params[:username].to_s
raise Discourse::NotFound unless user = User.find_by(username_lower: username.downcase)
return render_dot unless user = User.find_by(username_lower: username.downcase)
size = params[:size].to_i
if size > 1000 || size < 1
raise Discourse::NotFound
return render_dot
end
image = nil
version = params[:version].to_i
raise Discourse::NotFound unless version > 0 && user_avatar = user.user_avatar
return render_dot unless version > 0 && user_avatar = user.user_avatar
upload = Upload.find(version) if user_avatar.contains_upload?(version)
upload ||= user.uploaded_avatar if user.uploaded_avatar_id == version
@ -56,12 +58,18 @@ class UserAvatarsController < ApplicationController
expires_in 1.year, public: true
send_file image, disposition: nil
else
raise Discourse::NotFound
render_dot
end
end
protected
# this protects us from a DoS
def render_dot
expires_in 10.minutes, public: true
render text: DOT, content_type: "image/png"
end
def get_optimized_image(upload, size)
OptimizedImage.create_for(
upload,