github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-21 18:12:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Remove ember-cli specific response from application routes (#15155)

Browse Source 
Under some conditions, these varied responses could lead to cache poisoning, hence the 'security' label.

Previously the Rails application would serve JSON data in place of HTML whenever Ember CLI requested an `application.html.erb`-rendered page. This commit removes that logic, and instead parses the HTML out of the standard response. This means that Rails doesn't need to customize its response for Ember CLI.
This commit is contained in:
David Taylor
2021-12-01 16:10:40 +00:00
committed by GitHub
parent f37375f582
commit 1fa7a87f86
11 changed files with 265 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/discourse.rb
View File

@ -338,11 +338,6 @@ module Discourse
path = request.fullpath
result[:path] = path if path.present?
# When we bootstrap using the JSON method, we want to be able to filter assets on
# the path we're bootstrapping for.
asset_path = request.headers["HTTP_X_DISCOURSE_ASSET_PATH"]
result[:path] = asset_path if asset_path.present?
result
end