mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-05 07:13:12 +08:00
b99859cfc5
Non-admin users with group-level query access could pass `limit=ALL` or an arbitrarily large integer to bypass the row limit cap on data explorer queries. This commit removes support for the `ALL` value for the `limit` query param since it is unbounded. We consider this a security hardening fix instead of a security flaw since there are many conditions for this code path to be exploited and those conditions are quite rare. |
||
|---|---|---|
| .. | ||
| data_explorer.rake | ||
| fix_query_ids.rake | ||
| javascript.rake | ||
