Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-25 18:28:31 +08:00
Code Packages Activity Actions
discourse/app/controllers/admin
History
Exact
Roman Rizzi 93b0fc608d SECURITY: block cross-site backup traversal in multisite local storage [backport 2026.4] 
Backport of #716 to release/2026.4.

---

Harden backup download/delete/restore path handling to prevent path traversal across site backup directories in multisite setups using local backup storage. Tighten backup route matching, validate backup IDs in admin backup member actions, and enforce canonical-path containment in LocalBackupStore so filenames cannot escape the current site’s backup directory. Add regression specs for route matching, controller rejection of traversal IDs, and local store traversal protection.

CVE: https://github.com/discourse/discourse/security/advisories/GHSA-5j6v-4x6g-9pg5
2026-05-19 00:25:09 +01:00
..
config FEATURE: Merge permanent upcoming changes with new features feed (#38526) 2026-03-25 07:52:31 +10:00
admin_controller.rb DEV: Drop WithServiceHelper 2024-09-05 09:58:20 +02:00
admin_notices_controller.rb DEV: Update rubocop-discourse to 3.13 and autofix issues (#35073) 2025-10-06 16:11:01 +02:00
api_controller.rb DEV: Tidy plugin API key scope resource names (#38640) 2026-03-17 13:03:42 +11:00
backups_controller.rb SECURITY: block cross-site backup traversal in multisite local storage [backport 2026.4] 2026-05-19 00:25:09 +01:00
badges_controller.rb FIX: ensures admin can't set system property on badges (#37820) 2026-02-16 12:33:32 +01:00
color_schemes_controller.rb FEATURE: Allow editing theme-owned palettes (#34722) 2025-10-06 09:02:39 +03:00
dashboard_controller.rb FEATURE: Merge permanent upcoming changes with new features feed (#38526) 2026-03-25 07:52:31 +10:00
email_controller.rb DEV: Fix job serialization deprecation in email controller (#39311) 2026-04-16 11:42:34 +02:00
email_logs_controller.rb DEV: Update rubocop-discourse to 3.13 and autofix issues (#35073) 2025-10-06 16:11:01 +02:00
email_styles_controller.rb
email_templates_controller.rb FEATURE: Add background job and ability to delete posts from suspend user modal (#36813) 2026-01-07 10:25:01 -06:00
embeddable_hosts_controller.rb DEV: Expand top_tags, topic.tags, etc, to return an array of tag objects instead of tag names (#36678) 2026-02-02 10:03:02 +08:00
embedding_controller.rb UX: admins embedding page follows admin ux guideline (#30122) 2025-01-06 13:01:08 +11:00
emoji_controller.rb DEV: Move admin config pages out of /customize/ sub-route (#30511) 2025-01-02 09:13:11 +10:00
form_templates_controller.rb DEV: Rename experimental_ upcoming change settings (#37589) 2026-02-10 10:34:37 +10:00
groups_controller.rb FIX: Logging hole in group user histories and convert group create to service (#37054) 2026-02-06 13:34:58 +10:00
impersonate_controller.rb FIX: Stop impersonation session not working with group-based upcoming change (#37655) 2026-02-10 16:24:31 +10:00
permalinks_controller.rb FIX: Permalink.create didn't work as expected anymore (#29895) 2024-11-22 21:11:26 +01:00
plugins_controller.rb FIX: Don't allow access to plugin page if plugin is not visible (#26431) 2024-04-02 16:26:15 +03:00
problem_checks_controller.rb FEATURE: Add problem checks page to admin panel and allow ignoring problem checks (#39103) 2026-04-23 08:28:33 +08:00
reports_controller.rb SECURITY: Do not leak PM post edits to moderators 2026-03-19 15:21:28 +00:00
robots_txt_controller.rb FIX: Log changes to robots.txt by admins (#37901) 2026-02-18 14:20:21 -05:00
screened_emails_controller.rb SECURITY: Moderators cannot see user emails. 2024-12-19 13:13:18 -03:00
screened_ip_addresses_controller.rb DEV: Require admin for allow_admin screened IP mutations (#38545) 2026-03-12 10:43:19 -07:00
screened_urls_controller.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
search_controller.rb DEV: Refactor admin search index into a service (#38959) 2026-04-01 10:09:10 +10:00
search_logs_controller.rb DEV: Apply syntax_tree formatting to app/* 2023-01-09 14:14:59 +00:00
section_controller.rb DEV: Add a skeleton for section landing page & items (#28477) 2024-10-02 12:19:38 +10:00
site_settings_controller.rb FEATURE: onboarding banner for admins (#37583) 2026-02-10 14:53:44 -03:00
site_texts_controller.rb UX: Display interpolation keys as interactive pills in admin editors (#37254) 2026-02-27 21:21:26 +01:00
staff_action_logs_controller.rb DEV: Add comparison budget to ONPDiff (#38063) 2026-02-25 14:25:03 -05:00
staff_controller.rb DEV: Drop WithServiceHelper 2024-09-05 09:58:20 +02:00
themes_controller.rb FEATURE: Allow changing source repo/branch/key for theme after installation (#38169) 2026-04-02 16:56:19 +01:00
unknown_reviewables_controller.rb FEATURE: Gracefully handle unhandled reviewables (#31118) 2025-02-05 14:38:45 +11:00
user_fields_controller.rb DEV: Update rubocop (#38721) 2026-03-20 00:39:52 +01:00
users_controller.rb FIX: prevent silence_reason from leaking private email body (#39337) 2026-04-17 17:45:09 +03:00
versions_controller.rb Refactor admin base controller (#18453) 2022-10-31 12:02:26 +00:00
watched_words_controller.rb DEV: Deferred upload accesses tempfile after request completes (#38337) 2026-03-10 07:53:29 -07:00
web_hooks_controller.rb FIX: Allow selecting tags when creating or editing webhooks (#37942) 2026-02-20 23:00:50 +08:00