SECURITY: disable user entered badge SQL by default

- Hidden site settings now must be change via rails console
2025-05-22 22:43:33 +08:00 · 2016-07-28 09:03:00 +10:00
parent cb3afd11b4
commit c6dbaca0dc
6 changed files with 110 additions and 41 deletions
--- a/app/controllers/admin/site_settings_controller.rb
+++ b/app/controllers/admin/site_settings_controller.rb
@ -10,6 +10,10 @@ class Admin::SiteSettingsController < Admin::AdminController
    value = params[id]
    value.strip! if value.is_a?(String)
    begin
+      # note, as of Ruby 2.3 symbols are GC'd so this is considered safe
+      if SiteSetting.hidden_settings.include?(id.to_sym)
+        raise Discourse::InvalidParameters, "You are not allowed to change hidden settings"
+      end
      SiteSetting.set_and_log(id, value, current_user)
      render nothing: true
    rescue Discourse::InvalidParameters => e