github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 16:31:09 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: protect upload params, only allow very strict filenames

Browse Source
This commit is contained in:
Sam
2016-12-19 10:16:18 +11:00
parent 30e0154e5d
commit 15b5fddd49
4 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
spec/controllers/uploads_controller_spec.rb
View File

@ -33,6 +33,20 @@ describe UploadsController do
})
end
it 'fails if type is invalid' do
xhr :post, :create, file: logo, type: "invalid type cause has space"
expect(response.status).to eq 403
xhr :post, :create, file: logo, type: "\\invalid"
expect(response.status).to eq 403
xhr :post, :create, file: logo, type: "invalid."
expect(response.status).to eq 403
xhr :post, :create, file: logo, type: "toolong"*100
expect(response.status).to eq 403
end
it 'is successful with an image' do
Jobs.expects(:enqueue).with(:create_thumbnails, anything)