From f09ca88c47004c69270684e7298f17d192c65b92 Mon Sep 17 00:00:00 2001 From: Sam Saffron Date: Mon, 10 Apr 2017 08:09:55 -0400 Subject: [PATCH] SECURITY: prefer render plain/html to render text where possible --- app/controllers/admin/diagnostics_controller.rb | 8 ++++---- app/controllers/admin/email_controller.rb | 2 +- app/controllers/application_controller.rb | 4 ++-- app/controllers/exceptions_controller.rb | 2 +- app/controllers/forums_controller.rb | 4 ++-- app/controllers/onebox_controller.rb | 4 ++-- app/controllers/posts_controller.rb | 4 ++-- app/controllers/session_controller.rb | 5 +++++ 8 files changed, 19 insertions(+), 14 deletions(-) diff --git a/app/controllers/admin/diagnostics_controller.rb b/app/controllers/admin/diagnostics_controller.rb index 161963519e..ba889837a3 100644 --- a/app/controllers/admin/diagnostics_controller.rb +++ b/app/controllers/admin/diagnostics_controller.rb @@ -14,7 +14,7 @@ class Admin::DiagnosticsController < Admin::AdminController text << "\n\nCOUNT #{statements.count}" - render text: text, content_type: Mime::TEXT + render plain: text end def memory_stats @@ -33,7 +33,7 @@ class Admin::DiagnosticsController < Admin::AdminController text = MemoryDiagnostics.memory_report(class_report: params.key?(:full)) end - render text: text, content_type: Mime::TEXT + render plain: text end def dump_heap @@ -46,9 +46,9 @@ class Admin::DiagnosticsController < Admin::AdminController ObjectSpace.dump_all(:output => io) io.close - render text: "HEAP DUMP:\n#{io.path}", content_type: Mime::TEXT + render plain: "HEAP DUMP:\n#{io.path}" rescue - render text: "HEAP DUMP:\nnot supported", content_type: Mime::TEXT + render plain: "HEAP DUMP:\nnot supported" end end diff --git a/app/controllers/admin/email_controller.rb b/app/controllers/admin/email_controller.rb index 2d7798e6c2..2c11e50ab9 100644 --- a/app/controllers/admin/email_controller.rb +++ b/app/controllers/admin/email_controller.rb @@ -72,7 +72,7 @@ class Admin::EmailController < Admin::AdminController def handle_mail params.require(:email) Email::Processor.process!(params[:email]) - render text: "email was processed" + render plain: "email was processed" end def raw_email diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index cec61bf9d6..66e1b1ac8c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -29,7 +29,7 @@ class ApplicationController < ActionController::Base unless is_api? || is_user_api? super clear_current_user - render text: "['BAD CSRF']", status: 403 + render plain: "[\"BAD CSRF\"]", status: 403 end end @@ -170,7 +170,7 @@ class ApplicationController < ActionController::Base render_json_error I18n.t(type), type: type, status: status_code else - render text: build_not_found_page(status_code, include_ember ? 'application' : 'no_ember') + render html: build_not_found_page(status_code, include_ember ? 'application' : 'no_ember') end end diff --git a/app/controllers/exceptions_controller.rb b/app/controllers/exceptions_controller.rb index d04c4214d2..d5f21f8cb6 100644 --- a/app/controllers/exceptions_controller.rb +++ b/app/controllers/exceptions_controller.rb @@ -14,7 +14,7 @@ class ExceptionsController < ApplicationController # Don't show google search if it's embedded in the Ember app @hide_google = true - render text: build_not_found_page(200, false) + render html: build_not_found_page(200, false) end end diff --git a/app/controllers/forums_controller.rb b/app/controllers/forums_controller.rb index d0c6969e28..879fb27da7 100644 --- a/app/controllers/forums_controller.rb +++ b/app/controllers/forums_controller.rb @@ -6,9 +6,9 @@ class ForumsController < ApplicationController def status if $shutdown - render text: 'shutting down', status: 500, content_type: 'text/plain' + render plain: 'shutting down', status: 500 else - render text: 'ok', content_type: 'text/plain' + render plain: 'ok' end end diff --git a/app/controllers/onebox_controller.rb b/app/controllers/onebox_controller.rb index 9b09a0f3b8..c4e4fa47f4 100644 --- a/app/controllers/onebox_controller.rb +++ b/app/controllers/onebox_controller.rb @@ -9,7 +9,7 @@ class OneboxController < ApplicationController preview = Oneboxer.cached_preview(params[:url]) preview.strip! if preview.present? - return render(text: preview) if preview.present? + return render(plain: preview) if preview.present? # only 1 outgoing preview per user return render(nothing: true, status: 429) if Oneboxer.is_previewing?(params[:user_id]) @@ -26,7 +26,7 @@ class OneboxController < ApplicationController if preview.blank? render nothing: true, status: 404 else - render text: preview + render plain: preview end end diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb index 52618c5caf..2cbc6d0901 100644 --- a/app/controllers/posts_controller.rb +++ b/app/controllers/posts_controller.rb @@ -19,7 +19,7 @@ class PostsController < ApplicationController def markdown_num if params[:revision].present? post_revision = find_post_revision_from_topic_id - render text: post_revision.modifications[:raw].last, content_type: 'text/plain' + render plain: post_revision.modifications[:raw].last else markdown Post.find_by(topic_id: params[:topic_id].to_i, post_number: (params[:post_number] || 1).to_i) end @@ -27,7 +27,7 @@ class PostsController < ApplicationController def markdown(post) if post && guardian.can_see?(post) - render text: post.raw, content_type: 'text/plain' + render plain: post.raw else raise Discourse::NotFound end diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb index e958a2553a..8f8c609dbe 100644 --- a/app/controllers/session_controller.rb +++ b/app/controllers/session_controller.rb @@ -46,6 +46,11 @@ class SessionController < ApplicationController sso.external_id = current_user.id.to_s sso.admin = current_user.admin? sso.moderator = current_user.moderator? + if sso.return_sso_url.blank? + render plain: "return_sso_url is blank, it must be provided", status: 400 + return + end + if request.xhr? cookies[:sso_destination_url] = sso.to_url(sso.return_sso_url) else