github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-21 18:12:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

replace the upload type whitelist with a sanitizer

Browse Source
This commit is contained in:
Régis Hanol
2017-05-18 12:13:13 +02:00
parent 8e5b0c79ae
commit 13e489b4ca
4 changed files with 12 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/uploads_controller.rb
View File

@ -5,9 +5,8 @@ class UploadsController < ApplicationController
skip_before_filter :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]
def create
type = params.require(:type)
raise Discourse::InvalidAccess.new unless Upload::UPLOAD_TYPES.include?(type)
# 50 characters ought to be enough for the upload type
type = params.require(:type).parameterize("_")[0..50]
if type == "avatar" && (SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
return render json: failed_json, status: 422