github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-30 07:11:34 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Use different anon cache keys for XHR requests

Browse Source 
XHR requests are handled differently by the application and the
responses do not have any preloaded data so the cache key needs to
differntiate between those requests.
This commit is contained in:
Bianca Nenciu
2024-09-27 12:55:03 +03:00
committed by Alan Guo Xiang Tan
parent 1da97de7f0
commit e081cc14fb
2 changed files with 42 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/middleware/anonymous_cache.rb
View File

@ -156,8 +156,14 @@ module Middleware
def cache_key
return @cache_key if defined?(@cache_key)
# Rack `xhr?` performs a case sensitive comparison, but Rails `xhr?`
# performs a case insensitive comparison. We use the latter everywhere
# else in the application, so we should use it here as well.
is_xhr = @env["HTTP_X_REQUESTED_WITH"]&.casecmp("XMLHttpRequest") == 0 ? "t" : "f"
@cache_key =
+"ANON_CACHE_#{@env["HTTP_ACCEPT"]}_#{@env[Rack::RACK_URL_SCHEME]}_#{@env["HTTP_HOST"]}#{@env["REQUEST_URI"]}"
+"ANON_CACHE_#{is_xhr}_#{@env["HTTP_ACCEPT"]}_#{@env[Rack::RACK_URL_SCHEME]}_#{@env["HTTP_HOST"]}#{@env["REQUEST_URI"]}"
@cache_key << AnonymousCache.build_cache_key(self)
@cache_key
end