Skip to content

Commit

Permalink
馃悰 Fixed private blogging leaking post information (#8999)
Browse files Browse the repository at this point in the history 
* 馃悰  Fixed private blogging leaking post information

closes #8990

- a condition in the private blogging app redirected rss && sitemap to 404, which can possibly leak content
- remove this condition and ensure we always redirect to /private

* lint 馃構
  • Loading branch information
@kirrg001 @ErisDS
kirrg001 authored and ErisDS committed Sep 11, 2017
1 parent 7e211a3 commit add9e54
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 49 deletions.
8 changes: 1 addition & 7 deletions core/server/apps/private-blogging/lib/middleware.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ var _ = require('lodash'),
Promise = require('bluebird'),
config = require('../../../config'),
api = require('../../../api'),
errors = require('../../../errors'),
utils = require('../../../utils'),
i18n = require('../../../i18n'),
privateRoute = '/' + config.get('routeKeywords').private + '/',
Expand Down Expand Up @@ -50,12 +49,7 @@ privateBlogging = {
return next();
}

// take care of rss and sitemap 404s
if (req.path.lastIndexOf('/rss/', 0) === 0 ||
req.path.lastIndexOf('/rss/') === req.url.length - 5 ||
(req.path.lastIndexOf('/sitemap', 0) === 0 && req.path.lastIndexOf('.xml') === req.path.length - 4)) {
return next(new errors.NotFoundError({message: i18n.t('errors.errors.pageNotFound')}));
} else if (req.url.lastIndexOf('/robots.txt', 0) === 0) {
if (req.url.lastIndexOf('/robots.txt', 0) === 0) {
fs.readFile(path.resolve(__dirname, '../', 'robots.txt'), function readFile(err, buf) {
if (err) {
return next(err);
Expand Down
80 changes: 38 additions & 42 deletions core/server/apps/private-blogging/tests/middleware_spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ var should = require('should'), // jshint ignore:line
crypto = require('crypto'),
Promise = require('bluebird'),
api = require('../../../api'),
errors = require('../../../errors'),
fs = require('fs'),

privateBlogging = require('../lib/middleware'),
Expand Down Expand Up @@ -33,7 +32,7 @@ describe('Private Blogging', function () {
req = {};
res = {};
apiSettingsStub = sandbox.stub(api.settings, 'read');
next = sinon.spy();
next = sandbox.spy();
});

it('checkIsPrivate should call next if not private', function (done) {
Expand Down Expand Up @@ -79,7 +78,7 @@ describe('Private Blogging', function () {

it('isPrivateSessionAuth should redirect if blog is not private', function () {
res = {
redirect: sinon.spy(),
redirect: sandbox.spy(),
isPrivateBlog: false
};
privateBlogging.isPrivateSessionAuth(req, res, next);
Expand All @@ -89,7 +88,6 @@ describe('Private Blogging', function () {

describe('private', function () {
beforeEach(function () {
res.isPrivateBlog = true;
res = {
status: function () {
return this;
Expand All @@ -98,8 +96,11 @@ describe('Private Blogging', function () {
},
set: function () {
},
redirect: sandbox.spy(),
isPrivateBlog: true
};

req.session = {};
});

it('filterPrivateRoutes should call next if admin', function () {
Expand All @@ -114,70 +115,65 @@ describe('Private Blogging', function () {
next.called.should.be.true();
});

it('filterPrivateRoutes should throw 404 if url is sitemap', function () {
it('filterPrivateRoutes: sitemap redirects to /private', function () {
req.path = req.url = '/sitemap.xml';
var next = function next(err) {
(err instanceof errors.NotFoundError).should.eql(true);
};

privateBlogging.filterPrivateRoutes(req, res, next);
return privateBlogging.filterPrivateRoutes(req, res, next)
.then(function () {
res.redirect.calledOnce.should.be.true();
});
});

it('filterPrivateRoutes should throw 404 if url is sitemap with param', function () {
it('filterPrivateRoutes: sitemap with params redirects to /private', function () {
req.url = '/sitemap.xml?weird=param';
req.path = '/sitemap.xml';

var next = function next(err) {
(err instanceof errors.NotFoundError).should.eql(true);
};

privateBlogging.filterPrivateRoutes(req, res, next);
return privateBlogging.filterPrivateRoutes(req, res, next)
.then(function () {
res.redirect.calledOnce.should.be.true();
});
});

it('filterPrivateRoutes should throw 404 if url is rss', function () {
it('filterPrivateRoutes: rss redirects to /private', function () {
req.path = req.url = '/rss/';

var next = function next(err) {
(err instanceof errors.NotFoundError).should.eql(true);
};

privateBlogging.filterPrivateRoutes(req, res, next);
return privateBlogging.filterPrivateRoutes(req, res, next)
.then(function () {
res.redirect.calledOnce.should.be.true();
});
});

it('filterPrivateRoutes should throw 404 if url is author rss', function () {
it('filterPrivateRoutes: author rss redirects to /private', function () {
req.path = req.url = '/author/halfdan/rss/';

var next = function next(err) {
(err instanceof errors.NotFoundError).should.eql(true);
};

privateBlogging.filterPrivateRoutes(req, res, next);
return privateBlogging.filterPrivateRoutes(req, res, next)
.then(function () {
res.redirect.calledOnce.should.be.true();
});
});

it('filterPrivateRoutes should throw 404 if url is tag rss', function () {
it('filterPrivateRoutes: tag rss redirects to /private', function () {
req.path = req.url = '/tag/slimer/rss/';

var next = function next(err) {
(err instanceof errors.NotFoundError).should.eql(true);
};

privateBlogging.filterPrivateRoutes(req, res, next);
return privateBlogging.filterPrivateRoutes(req, res, next)
.then(function () {
res.redirect.calledOnce.should.be.true();
});
});

it('filterPrivateRoutes should throw 404 if url is rss plus something', function () {
it('filterPrivateRoutes: rss plus something redirects to /private', function () {
req.path = req.url = '/rss/sometag';

var next = function next(err) {
(err instanceof errors.NotFoundError).should.eql(true);
};

privateBlogging.filterPrivateRoutes(req, res, next);
return privateBlogging.filterPrivateRoutes(req, res, next)
.then(function () {
res.redirect.calledOnce.should.be.true();
});
});

it('filterPrivateRoutes should render custom robots.txt', function () {
req.url = req.path = '/robots.txt';
res.writeHead = sinon.spy();
res.end = sinon.spy();
res.writeHead = sandbox.spy();
res.end = sandbox.spy();
sandbox.stub(fs, 'readFile', function (file, cb) {
cb(null, 'User-agent: * Disallow: /');
});
Expand Down Expand Up @@ -223,7 +219,7 @@ describe('Private Blogging', function () {
token: 'wrongpassword',
salt: Date.now().toString()
};
res.redirect = sinon.spy();
res.redirect = sandbox.spy();

privateBlogging.authenticatePrivateSession(req, res, next).then(function () {
res.redirect.called.should.be.true();
Expand Down

0 comments on commit add9e54

Please sign in to comment.