From 1ab0f0ccb4ba8a2feefb2f1c7076080e79e4c162 Mon Sep 17 00:00:00 2001
From: Sam Saffron <sam.saffron@gmail.com>
Date: Tue, 7 May 2019 09:41:05 +1000
Subject: [PATCH] SECURITY: avoid use of send in favor of public_send

---
 lib/site_setting_extension.rb | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/lib/site_setting_extension.rb b/lib/site_setting_extension.rb
index e62ca8a441..75fc240ab2 100644
--- a/lib/site_setting_extension.rb
+++ b/lib/site_setting_extension.rb
@@ -137,7 +137,7 @@ module SiteSettingExtension
       end
 
       if opts[:shadowed_by_global] && GlobalSetting.respond_to?(name)
-        val = GlobalSetting.send(name)
+        val = GlobalSetting.public_send(name)
 
         unless val.nil? || (val == ''.freeze)
           shadowed_val = val
@@ -186,9 +186,9 @@ module SiteSettingExtension
     defaults.all.keys.each do |s|
       result[s] =
         if deprecated_settings.include?(s.to_s)
-          send(s, warn: false).to_s
+          public_send(s, warn: false).to_s
         else
-          send(s).to_s
+          public_send(s).to_s
         end
     end
 
@@ -229,7 +229,7 @@ module SiteSettingExtension
       .reject { |s, _| !include_hidden && hidden_settings.include?(s) }
       .map do |s, v|
 
-      value = send(s)
+      value = public_send(s)
       type_hash = type_supervisor.type_hash(s)
       default = defaults.get(s, default_locale).to_s
 
@@ -286,7 +286,7 @@ module SiteSettingExtension
       new_hash = defaults_view.merge!(new_hash)
 
       # add shadowed
-      shadowed_settings.each { |ss| new_hash[ss] = GlobalSetting.send(ss) }
+      shadowed_settings.each { |ss| new_hash[ss] = GlobalSetting.public_send(ss) }
 
       changes, deletions = diff_hash(new_hash, current)
 
@@ -368,7 +368,7 @@ module SiteSettingExtension
   end
 
   def notify_clients!(name)
-    MessageBus.publish('/client_settings', name: name, value: self.send(name))
+    MessageBus.publish('/client_settings', name: name, value: self.public_send(name))
   end
 
   def requires_refresh?(name)
@@ -391,7 +391,7 @@ module SiteSettingExtension
   def set(name, value)
     if has_setting?(name)
       value = filter_value(name, value)
-      self.send("#{name}=", value)
+      self.public_send("#{name}=", value)
       Discourse.request_refresh! if requires_refresh?(name)
     else
       raise Discourse::InvalidParameters.new("Either no setting named '#{name}' exists or value provided is invalid")
@@ -399,9 +399,9 @@ module SiteSettingExtension
   end
 
   def set_and_log(name, value, user = Discourse.system_user)
-    prev_value = send(name)
-    set(name, value)
     if has_setting?(name)
+      prev_value = public_send(name)
+      set(name, value)
       value = prev_value = "[FILTERED]" if secret_settings.include?(name.to_sym)
       StaffActionLogger.new(user).log_site_setting_change(name, prev_value, value)
     end
@@ -479,7 +479,7 @@ module SiteSettingExtension
     end
 
     define_singleton_method "#{clean_name}?" do
-      self.send clean_name
+      self.public_send clean_name
     end
 
     define_singleton_method "#{clean_name}=" do |val|