Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-12 18:43:30 +08:00
Code Packages Activity Actions
discourse/spec/fixtures/csv/invite_malicious_headers.csv
Natalie Tay 47728575f8
FIX: Allowlist CSV columns in bulk invite upload (#38231) 
The `upload_csv` endpoint accepted user-controlled CSV headers without
validation, allowing arbitrary keys into the invite hashes passed to the
BulkInvite job.

Restrict accepted columns to the ones already handled in BulkInvite (
basically, `email`, `groups`, `topic_id`, `locale`) plus valid UserField
names.
2026-03-09 16:06:09 +08:00

118 B
Raw Permalink Blame History

1emailgroupstopic_idadminmoderatortrust_level
2test@example.comdiscoursetruetrue4
3test2@example.comtrue4