github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-21 18:12:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Limit the length of drafts (#19989)

Browse Source 
Co-authored-by: Loïc Guitaut <loic@discourse.org>
This commit is contained in:
Natalie Tay
2023-01-25 19:50:21 +08:00
committed by GitHub
parent 5eaf080239
commit f91ac52a22
4 changed files with 61 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
app/controllers/drafts_controller.rb
View File

@ -24,6 +24,16 @@ class DraftsController < ApplicationController
def create
raise Discourse::NotFound.new if params[:draft_key].blank?
if params[:data].size > SiteSetting.max_draft_length
raise Discourse::InvalidParameters.new(:data)
end
begin
data = JSON.parse(params[:data])
rescue JSON::ParserError
raise Discourse::InvalidParameters.new(:data)
end
sequence =
begin
Draft.set(
@ -59,12 +69,6 @@ class DraftsController < ApplicationController
json = success_json.merge(draft_sequence: sequence)
begin
data = JSON.parse(params[:data])
rescue JSON::ParserError
raise Discourse::InvalidParameters.new(:data)
end
if data.present?
# this is a bit of a kludge we need to remove (all the parsing) too many special cases here
# we need to catch action edit and action editSharedDraft