github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Bound the amount of work that embed#topics can do

Browse Source 
This commit adds a hidden site setting that limits the maximum number of
topics that can be fetched at once via the embed controller.
This commit is contained in:
Daniel Waterworth
2020-07-20 12:13:35 +01:00
parent 8f2f9e6afa
commit 0b800d307f
2 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/controllers/embed_controller.rb
View File

@ -41,7 +41,11 @@ class EmbedController < ApplicationController
end end
list_options = build_topic_list_options list_options = build_topic_list_options
list_options[:per_page] = params[:per_page].to_i if params.has_key?(:per_page)
if params.has_key?(:per_page)
list_options[:per_page] =
[params[:per_page].to_i, SiteSetting.embed_topic_limit_per_page].min
end
if params[:allow_create] if params[:allow_create]
@allow_create = true @allow_create = true

3
config/site_settings.yml
View File

@ -1702,6 +1702,9 @@ embedding:
embed_post_limit: embed_post_limit:
default: 100 default: 100
hidden: true hidden: true
embed_topic_limit_per_page:
default: 200
hidden: true
embed_title_scrubber: embed_title_scrubber:
default: "" default: ""
hidden: true hidden: true