github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-21 18:12:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: [security bug] XHR check bypass

Browse Source
This commit is contained in:
Régis Hanol
2013-04-30 02:34:19 +02:00
parent f517fa6099
commit 017ee7c2da
2 changed files with 14 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/controllers/application_controller.rb
View File

@ -38,7 +38,6 @@ class ApplicationController < ActionController::Base
# Some exceptions
class RenderEmpty < Exception; end
class NotLoggedIn < Exception; end
# Render nothing unless we are an xhr request
rescue_from RenderEmpty do
@ -246,10 +245,7 @@ class ApplicationController < ActionController::Base
def check_xhr
unless (controller_name == 'forums' || controller_name == 'user_open_ids')
# bypass xhr check on PUT / POST / DELETE provided api key is there, otherwise calling api is annoying
if !request.get? && request["api_key"]
return
end
return if !request.get? && request["api_key"] && SiteSetting.api_key_valid?(request["api_key"])
raise RenderEmpty.new unless ((request.format && request.format.json?) || request.xhr?)
end
end