mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-04-29 15:45:23 +08:00
580b7ba678
Unauthenticated author spoofing via `discourse_username` parameter in the `/embed/comments` endpoint allows an anonymous attacker to create embedded topics. This feature has been deprecated for years now (since 3.2) so this commit removes it. Lean no meta tags instead.
43 lines
1.1 KiB
Ruby
43 lines
1.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class TopicRetriever
|
|
def initialize(embed_url, opts = nil)
|
|
@embed_url = embed_url
|
|
@opts = opts || {}
|
|
end
|
|
|
|
def retrieve
|
|
perform_retrieve unless (invalid_url? || retrieved_recently?)
|
|
end
|
|
|
|
private
|
|
|
|
def invalid_url?
|
|
!EmbeddableHost.url_allowed?(@embed_url.strip)
|
|
end
|
|
|
|
def retrieved_recently?
|
|
# We can disable the throttle for some users, such as staff
|
|
return false if @opts[:no_throttle]
|
|
|
|
# Throttle other users to once every 60 seconds
|
|
retrieved_key = "retrieved_topic"
|
|
if Discourse.redis.setnx(retrieved_key, "1")
|
|
Discourse.redis.expire(retrieved_key, 60)
|
|
return false
|
|
end
|
|
|
|
true
|
|
end
|
|
|
|
def perform_retrieve
|
|
# It's possible another process or job found the embed already. So if that happened bail out.
|
|
return if TopicEmbed.where(embed_url: @embed_url).exists?
|
|
|
|
username =
|
|
SiteSetting.embed_by_username.presence || SiteSetting.site_contact_username.presence ||
|
|
Discourse.system_user.username
|
|
|
|
TopicEmbed.import_remote(@embed_url, user: User.find_by(username_lower: username.downcase))
|
|
end
|
|
end
|
