github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-01 07:37:55 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: 413 for GET, HEAD or DELETE requests with payload.

Browse Source
This commit is contained in:
Guo Xiang Tan
2020-08-03 14:11:17 +08:00
parent 32af607b70
commit 105d560177
2 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/middleware/anonymous_cache.rb
View File

@ -307,7 +307,15 @@ module Middleware
@app = app
end
PAYLOAD_INVALID_REQUEST_METHODS = ["GET", "DELETE", "HEAD"]
def call(env)
if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
env[Rack::RACK_INPUT].size > 0
return [413, {}, []]
end
helper = Helper.new(env)
force_anon = false