github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-21 18:12:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Better and more secure validation of periods for TopicQuery

Browse Source 
Co-authored-by: Martin Brennan <mjrbrennan@gmail.com>
This commit is contained in:
Robin Ward
2021-07-23 13:52:35 -04:00
parent c7beb0b9a6
commit 7b45a5ce55
10 changed files with 68 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/controllers/embed_controller.rb
View File

@ -57,8 +57,13 @@ class EmbedController < ApplicationController
end
topic_query = TopicQuery.new(current_user, list_options)
top_period = params[:top_period]&.to_sym
valid_top_period = TopTopic.periods.include?(top_period)
top_period = params[:top_period]
begin
TopTopic.validate_period(top_period)
valid_top_period = true
rescue Discourse::InvalidParameters
valid_top_period = false
end
@list = if valid_top_period
topic_query.list_top_for(top_period)