SECURITY: limit route access when using external avatars

This commit is contained in:
Sam 2016-07-28 08:59:58 +10:00
parent 437ad5b05a
commit cb3afd11b4
2 changed files with 17 additions and 1 deletions

View file

@ -21,8 +21,11 @@ class UserAvatarsController < ApplicationController
end
end
# mainly used in development for backwards compat
def show_proxy_letter
if SiteSetting.external_system_avatars_url !~ /^\/letter_avatar_proxy/
raise Discourse::NotFound
end
params.require(:letter)
params.require(:color)
params.require(:version)

View file

@ -2,6 +2,19 @@ require 'rails_helper'
describe UserAvatarsController do
context 'show_proxy_letter' do
it 'returns not found if external avatar is set somewhere else' do
SiteSetting.external_system_avatars_url = "https://somewhere.else.com/avatar.png"
response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20
expect(response.status).to eq(404)
end
it 'returns an avatar if we are allowing the proxy' do
response = get :show_proxy_letter, version: 'v2', letter: 'a', color: 'aaaaaa', size: 20
expect(response.status).to eq(200)
end
end
context 'show' do
it 'handles non local content correctly' do
SiteSetting.avatar_sizes = "100|49"