mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 09:36:19 -05:00
SECURITY: limit route access when using external avatars
This commit is contained in:
parent
437ad5b05a
commit
cb3afd11b4
2 changed files with 17 additions and 1 deletions
|
@ -21,8 +21,11 @@ class UserAvatarsController < ApplicationController
|
|||
end
|
||||
end
|
||||
|
||||
# mainly used in development for backwards compat
|
||||
def show_proxy_letter
|
||||
if SiteSetting.external_system_avatars_url !~ /^\/letter_avatar_proxy/
|
||||
raise Discourse::NotFound
|
||||
end
|
||||
|
||||
params.require(:letter)
|
||||
params.require(:color)
|
||||
params.require(:version)
|
||||
|
|
|
@ -2,6 +2,19 @@ require 'rails_helper'
|
|||
|
||||
describe UserAvatarsController do
|
||||
|
||||
context 'show_proxy_letter' do
|
||||
it 'returns not found if external avatar is set somewhere else' do
|
||||
SiteSetting.external_system_avatars_url = "https://somewhere.else.com/avatar.png"
|
||||
response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
|
||||
it 'returns an avatar if we are allowing the proxy' do
|
||||
response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20
|
||||
expect(response.status).to eq(200)
|
||||
end
|
||||
end
|
||||
|
||||
context 'show' do
|
||||
it 'handles non local content correctly' do
|
||||
SiteSetting.avatar_sizes = "100|49"
|
||||
|
|
Loading…
Reference in a new issue