github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Fix XSS on unsubscribed page.

Browse Source
This commit is contained in:
Guo Xiang Tan
2017-10-09 09:04:46 +08:00
parent 6fe604b93e
commit a6f2533d38
2 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/email_controller.rb
View File

@ -110,6 +110,7 @@ class EmailController < ApplicationController
def unsubscribed def unsubscribed
@email = params[:email] @email = params[:email]
raise Discourse::NotFound if !User.find_by_email(params[:email])
@topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id] @topic = Topic.find_by(id: params[:topic_id].to_i) if params[:topic_id]
end end

13
spec/requests/email_controller_spec.rb Normal file
View File

@ -0,0 +1,13 @@
require 'rails_helper'
RSpec.describe EmailController do
describe '#unsubscribed' do
describe 'when email is invalid' do
it 'should return the right response' do
get '/email/unsubscribed', params: { email: 'somerandomstring' }
expect(response.status).to eq(404)
end
end
end
end