apitech
/
Rocket.Chat
mirror of https://github.com/RocketChat/Rocket.Chat
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Revert "Allow OEmbed to bypass file protection"

Browse Source 
This reverts commit 9c181604db.
pull/1266/head
Marcelo Schmidt 10 years ago
parent 9c181604db
commit f7ed5d80c5
3 changed files with 2 additions and 14 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 9
      lib/fileUpload.coffee
  2. 1
      packages/rocketchat-oembed/package.js
  3. 6
      packages/rocketchat-oembed/server/server.coffee

9
lib/fileUpload.coffee
Unescape View File

@ -52,14 +52,7 @@ if UploadFS?
uid = cookie.get('rc_uid', rawCookies) if rawCookies?
token = cookie.get('rc_token', rawCookies) if rawCookies?
if not uid or not token
throw new Meteor.Error 403, 'Not Allowed'
if uid is OEmbed.rc_uid
if token isnt OEmbed.rc_token
throw new Meteor.Error 403, 'Not Allowed'
else if not RocketChat.models.Users.findOneByIdAndLoginToken(uid, token)
unless uid and token and RocketChat.models.Users.findOneByIdAndLoginToken(uid, token)
throw new Meteor.Error 403, 'Not Allowed'
res.setHeader 'content-disposition', "attachment; filename=\"#{ encodeURIComponent(file.name) }\""

1
packages/rocketchat-oembed/package.js
Unescape View File

@ -12,7 +12,6 @@ Package.onUse(function(api) {
'templating',
'coffeescript',
'underscore',
'random',
'konecty:change-case',
'rocketchat:lib@0.0.1'
]);

6
packages/rocketchat-oembed/server/server.coffee
Unescape View File

@ -7,10 +7,7 @@ querystring = Npm.require('querystring')
gunzipSync = Meteor.wrapAsync zlib.gunzip.bind(zlib)
inflateSync = Meteor.wrapAsync zlib.inflate.bind(zlib)
OEmbed = {
rc_uid: 'OEmbed'
rc_token: Random.id()
}
OEmbed = {}
getUrlContent = (urlObj, redirectCount = 5, callback) ->
if _.isString(urlObj)
@ -24,7 +21,6 @@ getUrlContent = (urlObj, redirectCount = 5, callback) ->
rejectUnauthorized: !RocketChat.settings.get 'Allow_Invalid_SelfSigned_Certs'
headers:
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36'
'Cookie': "rc_uid=#{OEmbed.rc_uid}; rc_token=#{OEmbed.rc_token}"
httpOrHttps = if urlObj.protocol is 'https:' then https else http

Write Preview
Loading…
Cancel
Save