mirror of
https://github.com/discourse/discourse.git
synced 2025-05-29 00:00:46 +08:00
SECURITY: Don't reuse CSP nonce between anonymous requests
This commit is contained in:

committed by
David Taylor

parent
672f3e7e41
commit
0976c8fad6
@ -43,6 +43,21 @@ module Middleware
|
||||
env["ANON_CACHE_DURATION"] = duration
|
||||
end
|
||||
|
||||
def self.clear_all_cache!
|
||||
if Rails.env.production?
|
||||
raise "for perf reasons, clear_all_cache! cannot be used in production."
|
||||
end
|
||||
Discourse.redis.keys("ANON_CACHE_*").each { |k| Discourse.redis.del(k) }
|
||||
end
|
||||
|
||||
def self.disable_anon_cache
|
||||
@@disabled = true
|
||||
end
|
||||
|
||||
def self.enable_anon_cache
|
||||
@@disabled = false
|
||||
end
|
||||
|
||||
# This gives us an API to insert anonymous cache segments
|
||||
class Helper
|
||||
RACK_SESSION = "rack.session"
|
||||
@ -232,7 +247,10 @@ module Middleware
|
||||
end
|
||||
|
||||
def cacheable?
|
||||
!!(!has_auth_cookie? && get? && no_cache_bypass)
|
||||
!!(
|
||||
GlobalSetting.anon_cache_store_threshold > 0 && !has_auth_cookie? && get? &&
|
||||
no_cache_bypass
|
||||
)
|
||||
end
|
||||
|
||||
def compress(val)
|
||||
@ -326,6 +344,8 @@ module Middleware
|
||||
PAYLOAD_INVALID_REQUEST_METHODS = %w[GET HEAD]
|
||||
|
||||
def call(env)
|
||||
return @app.call(env) if defined?(@@disabled) && @@disabled
|
||||
|
||||
if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
|
||||
env[Rack::RACK_INPUT].size > 0
|
||||
return 413, { "Cache-Control" => "private, max-age=0, must-revalidate" }, []
|
||||
|
Reference in New Issue
Block a user