Fix hidden attribute leaks in legacy post controller (#3237).

2017-07-24 20:33:06 -05:00
parent f2bf756422
commit 67528ce5ab
4 changed files with 15 additions and 10 deletions
--- a/app/controllers/legacy_controller.rb
+++ b/app/controllers/legacy_controller.rb
@@ -1,9 +1,21 @@
 class LegacyController < ApplicationController
  before_filter :member_only, :only => [:create_post]
+  respond_to :json, :xml

  def posts
    @post_set = PostSets::Post.new(tag_query, params[:page], params[:limit], format: "json")
-    @posts = @post_set.posts
+    @posts = @post_set.posts.map(&:legacy_attributes)
+
+    respond_with(@posts) do |format|
+      format.xml do
+        xml = Builder::XmlMarkup.new(indent: 2)
+        xml.instruct!
+        xml.posts do
+          @posts.each { |attrs| xml.post(attrs) }
+        end
+        render xml: xml.target!
+      end
+    end
  end

  def create_post
--- a/app/models/post.rb
+++ b/app/models/post.rb
@@ -1548,7 +1548,7 @@ class Post < ApplicationRecord
      super(options)
    end

-    def to_legacy_json
+    def legacy_attributes
      hash = {
        "has_comments" => last_commented_at.present?,
        "parent_id" => parent_id,
@@ -1574,7 +1574,7 @@ class Post < ApplicationRecord
        hash["md5"] = md5
      end

-      hash.to_json
+      hash
    end

    def status
--- a/app/views/legacy/posts.json.erb
+++ b/app/views/legacy/posts.json.erb
@@ -1 +0,0 @@
-[<%= @posts.map {|x| x.to_legacy_json}.join(", ").html_safe %>]
--- a/app/views/legacy/posts.xml.erb
+++ b/app/views/legacy/posts.xml.erb
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<posts>
-  <% @posts.each do |post| %>
-	  <post preview_url="<%= post.preview_file_url %>" file_size="<%= post.file_size %>" status="<%= post.status %>" score="<%= post.score %>" file_url="<%= post.file_url %>" height="<%= post.image_height %>" has_comments="<%= post.last_commented_at.present? %>" tags="<%= post.tag_string %>" source="<%= post.source %>" parent_id="<%= post.parent_id %>" created_at="<%= post.created_at.to_formatted_s(:db) %>" rating="<%= post.rating %>" has_notes="<%= post.last_noted_at.present? %>" id="<%= post.id %>" md5="<%= post.md5 %>" has_children="<%= post.has_children? %>" creator_id="<%= post.uploader_id %>" author="<%= post.uploader_name %>" width="<%= post.image_width %>"/>
-	<% end %>
-</posts>
				`@@ -1 +0,0 @@`
				`[<%= @posts.map {\|x\| x.to_legacy_json}.join(", ").html_safe %>]`