jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix #3835: Related tags update vulnerability.

Browse Source 
Also fixes deprecated call to `render :text`.
This commit is contained in:
evazion
2018-08-24 11:50:41 -05:00
parent 8833374294
commit 05ad112831
2 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/controllers/application_controller.rb
View File

@@ -36,13 +36,6 @@ class ApplicationController < ActionController::Base
response.headers["Access-Control-Allow-Origin"] = "*" response.headers["Access-Control-Allow-Origin"] = "*"
end end
def require_reportbooru_key
unless params[:key] == Danbooru.config.reportbooru_key
render(text: "forbidden", status: 403)
return false
end
end
def bad_db_connection def bad_db_connection
respond_to do |format| respond_to do |format|
format.json do format.json do

8
app/controllers/related_tags_controller.rb
View File

@@ -19,4 +19,12 @@ class RelatedTagsController < ApplicationController
@tag.save @tag.save
head :ok head :ok
end end
protected
def require_reportbooru_key
unless Danbooru.config.reportbooru_key.present? && params[:key] == Danbooru.config.reportbooru_key
raise User::PrivilegeError
end
end
end end