github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 12:51:24 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Do not count deleted post for upload ref security (#19949)

Browse Source 
When checking whether an existing upload should be secure
based on upload references, do not count deleted posts, since
there is still a reference attached to them. This can lead to
issues where e.g. an upload is used for a post then later on
a custom emoji.
This commit is contained in:
Martin Brennan
2023-01-24 10:01:48 +10:00
committed by GitHub
parent a6291cd854
commit 110c96e6d7
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
spec/lib/upload_security_spec.rb
View File

@ -217,6 +217,16 @@ RSpec.describe UploadSecurity do
end
end
describe "when the upload is first used for a post in a secure context that is later deleted" do
it "returns false" do
create_secure_post_reference
post_in_secure_context.trash!
CustomEmoji.create(name: "meme", upload: upload)
expect(subject.should_be_secure?).to eq(false)
end
end
describe "when the upload is first used for a site setting" do
it "returns false" do
SiteSetting.favicon = upload