github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 20:41:24 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Ensure anon-cached values are never returned for API requests (#20021)

Browse Source 
Under some situations, we would inadvertently return a public (unauthenticated) result to an authenticated API request. This commit adds the `Api-Key` header to our anonymous cache bypass logic.
This commit is contained in:
David Taylor
2023-01-26 13:26:29 +00:00
committed by GitHub
parent e717529d80
commit 798b4bb604
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/middleware/anonymous_cache.rb
View File

@ -66,6 +66,7 @@ module Middleware
!@request.path.ends_with?("srv/status") &&
@request[Auth::DefaultCurrentUserProvider::API_KEY].nil? &&
@env[Auth::DefaultCurrentUserProvider::USER_API_KEY].nil? &&
@env[Auth::DefaultCurrentUserProvider::HEADER_API_KEY].nil? &&
CrawlerDetection.is_blocked_crawler?(@env[USER_AGENT])
end
@ -184,11 +185,13 @@ module Middleware
request = Rack::Request.new(@env)
request.cookies["_bypass_cache"].nil? && (request.path != "/srv/status") &&
request[Auth::DefaultCurrentUserProvider::API_KEY].nil? &&
@env[Auth::DefaultCurrentUserProvider::HEADER_API_KEY].nil? &&
@env[Auth::DefaultCurrentUserProvider::USER_API_KEY].nil?
end
def force_anonymous!
@env[Auth::DefaultCurrentUserProvider::USER_API_KEY] = nil
@env[Auth::DefaultCurrentUserProvider::HEADER_API_KEY] = nil
@env["HTTP_COOKIE"] = nil
@env["HTTP_DISCOURSE_LOGGED_IN"] = nil
@env["rack.request.cookie.hash"] = {}