github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 16:01:20 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: Respond with error 400 to uploads requested via XHR

Browse Source 
follow-up to 13f38055
This commit is contained in:
Gerhard Schlager
2019-06-27 11:13:44 +02:00
parent df9b295510
commit fe870a1e54
2 changed files with 7 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/controllers/uploads_controller.rb
View File

@ -70,7 +70,7 @@ class UploadsController < ApplicationController
def show
# do not serve uploads requested via XHR to prevent XSS
return render_404 if request.xhr?
return xhr_not_allowed if request.xhr?
return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
@ -92,7 +92,7 @@ class UploadsController < ApplicationController
def show_short
# do not serve uploads requested via XHR to prevent XSS
return render_404 if request.xhr?
return xhr_not_allowed if request.xhr?
if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
return render_404
@ -126,6 +126,10 @@ class UploadsController < ApplicationController
protected
def xhr_not_allowed
raise Discourse::InvalidParameters.new("XHR not allowed")
end
def render_404
raise Discourse::NotFound
end