DoS through Onebox favicon URL
Package
Discourse
(Discourse)
Affected versions
stable > 3.1.0 && < 3.1.2; beta/tests-passed > 3.1.0.beta6 && < 3.2.0.beta2
Patched versions
stable >= 3.1.3; beta/tests-passed >= 3.2.0.beta3
Impact
Redis memory can be depleted by crafting a site with an abnormally long favicon URL and drafting multiple posts which Onebox it.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
None.