diff options
| -rw-r--r-- | app/controllers/track_controller.rb | 3 | ||||
| -rw-r--r-- | config/initializers/alaveteli.rb | 1 | ||||
| -rw-r--r-- | lib/actionmailer_patches.rb | 15 | ||||
| -rw-r--r-- | spec/controllers/track_controller_spec.rb | 33 | ||||
| -rw-r--r-- | spec/factories.rb | 7 |
5 files changed, 58 insertions, 1 deletions
diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb index 40fa69290..72c092221 100644 --- a/app/controllers/track_controller.rb +++ b/app/controllers/track_controller.rb @@ -181,7 +181,8 @@ class TrackController < ApplicationController if new_medium == 'delete' track_thing.destroy flash[:notice] = _("You are no longer following {{track_description}}.", :track_description => track_thing.params[:list_description]) - redirect_to params[:r] + redirect_to URI.parse(params[:r]).path + # Reuse code like this if we let medium change again. #elsif new_medium == 'email_daily' # track_thing.track_medium = new_medium diff --git a/config/initializers/alaveteli.rb b/config/initializers/alaveteli.rb index 8ae78c80c..4041ef7a8 100644 --- a/config/initializers/alaveteli.rb +++ b/config/initializers/alaveteli.rb @@ -50,6 +50,7 @@ require 'normalize_string' require 'alaveteli_file_types' require 'alaveteli_localization' require 'message_prominence' +require 'actionmailer_patches' AlaveteliLocalization.set_locales(AlaveteliConfiguration::available_locales, AlaveteliConfiguration::default_locale) diff --git a/lib/actionmailer_patches.rb b/lib/actionmailer_patches.rb new file mode 100644 index 000000000..600d3c8cc --- /dev/null +++ b/lib/actionmailer_patches.rb @@ -0,0 +1,15 @@ +# Monkey patch for CVE-2013-4389 +# derived from http://seclists.org/oss-sec/2013/q4/118 to fix +# a possible DoS vulnerability in the log subscriber component of +# Action Mailer. + +require 'action_mailer' +module ActionMailer + class LogSubscriber < ActiveSupport::LogSubscriber + def deliver(event) + recipients = Array.wrap(event.payload[:to]).join(', ') + info("\nSent mail to #{recipients} (#{event.duration.round(1)}ms)") + debug(event.payload[:mail]) + end + end +end diff --git a/spec/controllers/track_controller_spec.rb b/spec/controllers/track_controller_spec.rb index a16024828..57d084f6b 100644 --- a/spec/controllers/track_controller_spec.rb +++ b/spec/controllers/track_controller_spec.rb @@ -55,6 +55,39 @@ describe TrackController, "when making a new track on a request" do end +describe TrackController, "when unsubscribing from a track" do + + before do + @track_thing = FactoryGirl.create(:track_thing) + end + + it 'should destroy the track thing' do + get :update, {:track_id => @track_thing.id, + :track_medium => 'delete', + :r => 'http://example.com'}, + {:user_id => @track_thing.tracking_user.id} + TrackThing.find(:first, :conditions => ['id = ? ', @track_thing.id]).should == nil + end + + it 'should redirect to a URL on the site' do + get :update, {:track_id => @track_thing.id, + :track_medium => 'delete', + :r => '/'}, + {:user_id => @track_thing.tracking_user.id} + response.should redirect_to('/') + end + + it 'should not redirect to a url on another site' do + track_thing = FactoryGirl.create(:track_thing) + get :update, {:track_id => @track_thing.id, + :track_medium => 'delete', + :r => 'http://example.com/'}, + {:user_id => @track_thing.tracking_user.id} + response.should redirect_to('/') + end + +end + describe TrackController, "when sending alerts for a track" do render_views diff --git a/spec/factories.rb b/spec/factories.rb index 653525920..7d8f94ac1 100644 --- a/spec/factories.rb +++ b/spec/factories.rb @@ -137,4 +137,11 @@ FactoryGirl.define do last_edit_comment "Making an edit" end + factory :track_thing do + association :tracking_user, :factory => :user + track_medium 'email_daily' + track_type 'search_query' + track_query 'Example Query' + end + end |