mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 17:46:05 -05:00
Add DoS protection to action
This commit is contained in:
parent
ce6c25afed
commit
18bdc4e63e
2 changed files with 13 additions and 5 deletions
|
@ -420,7 +420,7 @@ Discourse.User.reopenClass(Discourse.Singleton, {
|
|||
if(Discourse.CDN){
|
||||
url = Discourse.CDN + url;
|
||||
}
|
||||
return "DISABLED" + url;
|
||||
return url;
|
||||
},
|
||||
|
||||
/**
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
require_dependency 'letter_avatar'
|
||||
|
||||
class UserAvatarsController < ApplicationController
|
||||
DOT = Base64.decode64("R0lGODlhAQABALMAAAAAAIAAAACAAICAAAAAgIAAgACAgMDAwICAgP8AAAD/AP//AAAA//8A/wD//wBiZCH5BAEAAA8ALAAAAAABAAEAAAQC8EUAOw==")
|
||||
|
||||
skip_before_filter :check_xhr, :verify_authenticity_token, only: :show
|
||||
|
||||
def refresh_gravatar
|
||||
|
@ -21,17 +23,17 @@ class UserAvatarsController < ApplicationController
|
|||
|
||||
def show
|
||||
username = params[:username].to_s
|
||||
raise Discourse::NotFound unless user = User.find_by(username_lower: username.downcase)
|
||||
return render_dot unless user = User.find_by(username_lower: username.downcase)
|
||||
|
||||
size = params[:size].to_i
|
||||
if size > 1000 || size < 1
|
||||
raise Discourse::NotFound
|
||||
return render_dot
|
||||
end
|
||||
|
||||
image = nil
|
||||
version = params[:version].to_i
|
||||
|
||||
raise Discourse::NotFound unless version > 0 && user_avatar = user.user_avatar
|
||||
return render_dot unless version > 0 && user_avatar = user.user_avatar
|
||||
|
||||
upload = Upload.find(version) if user_avatar.contains_upload?(version)
|
||||
upload ||= user.uploaded_avatar if user.uploaded_avatar_id == version
|
||||
|
@ -56,12 +58,18 @@ class UserAvatarsController < ApplicationController
|
|||
expires_in 1.year, public: true
|
||||
send_file image, disposition: nil
|
||||
else
|
||||
raise Discourse::NotFound
|
||||
render_dot
|
||||
end
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
# this protects us from a DoS
|
||||
def render_dot
|
||||
expires_in 10.minutes, public: true
|
||||
render text: DOT, content_type: "image/png"
|
||||
end
|
||||
|
||||
def get_optimized_image(upload, size)
|
||||
OptimizedImage.create_for(
|
||||
upload,
|
||||
|
|
Loading…
Reference in a new issue