SECURITY: Fix XSS on unsubscribed page.

2025-05-30 15:28:37 +08:00 · 2017-10-09 08:59:03 +08:00
parent 4ea87b5ab8
commit 190558db9d
4 changed files with 17 additions and 2 deletions
--- a/app/controllers/email_controller.rb
+++ b/app/controllers/email_controller.rb
@ -110,6 +110,7 @@ class EmailController < ApplicationController

  def unsubscribed
    @email = params[:email]
+    raise Discourse::NotFound if !User.find_by_email(params[:email])
    @topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id]
  end