From 8a16dd5d7e7ab00bfe85ec7b7730dd6f82af21e8 Mon Sep 17 00:00:00 2001 From: Fabian Becker Date: Thu, 7 Jan 2016 15:03:39 +0100 Subject: [PATCH] Disallow access to author/tag rss feeds if private blogging is on - Also fixes an issue where posts/tags with slugs starting with rss/sitemap became inaccessible fixes #6290 --- core/server/middleware/private-blogging.js | 4 ++- .../unit/middleware/private-blogging_spec.js | 29 +++++++++++++++---- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/core/server/middleware/private-blogging.js b/core/server/middleware/private-blogging.js index 63938b9b55..9d35d8403d 100644 --- a/core/server/middleware/private-blogging.js +++ b/core/server/middleware/private-blogging.js @@ -49,7 +49,9 @@ privateBlogging = { } // take care of rss and sitemap 404s - if (req.url.lastIndexOf('/rss', 0) === 0 || req.url.lastIndexOf('/sitemap', 0) === 0) { + if (req.path.lastIndexOf('/rss/', 0) === 0 || + req.path.lastIndexOf('/rss/') === req.url.length - 5 || + (req.path.lastIndexOf('/sitemap', 0) === 0 && req.path.lastIndexOf('.xml') === req.path.length - 4)) { return errors.error404(req, res, next); } else if (req.url.lastIndexOf('/robots.txt', 0) === 0) { fs.readFile(path.join(config.paths.corePath, 'shared', 'private-robots.txt'), function readFile(err, buf) { diff --git a/core/test/unit/middleware/private-blogging_spec.js b/core/test/unit/middleware/private-blogging_spec.js index eda4eadcf3..7a5a7ad9ca 100644 --- a/core/test/unit/middleware/private-blogging_spec.js +++ b/core/test/unit/middleware/private-blogging_spec.js @@ -114,31 +114,50 @@ describe('Private Blogging', function () { }); it('filterPrivateRoutes should call next if is the "private" route', function () { - req.url = '/private/'; + req.path = req.url = '/private/'; privateBlogging.filterPrivateRoutes(req, res, next); next.called.should.be.true; }); it('filterPrivateRoutes should throw 404 if url is sitemap', function () { - req.url = '/sitemap.xml'; + req.path = req.url = '/sitemap.xml'; + privateBlogging.filterPrivateRoutes(req, res, next); + errorSpy.called.should.be.true; + }); + + it('filterPrivateRoutes should throw 404 if url is sitemap with param', function () { + req.url = '/sitemap.xml?weird=param'; + req.path = '/sitemap.xml'; privateBlogging.filterPrivateRoutes(req, res, next); errorSpy.called.should.be.true; }); it('filterPrivateRoutes should throw 404 if url is rss', function () { - req.url = '/rss'; + req.path = req.url = '/rss/'; + privateBlogging.filterPrivateRoutes(req, res, next); + errorSpy.called.should.be.true; + }); + + it('filterPrivateRoutes should throw 404 if url is author rss', function () { + req.path = req.url = '/author/halfdan/rss/'; + privateBlogging.filterPrivateRoutes(req, res, next); + errorSpy.called.should.be.true; + }); + + it('filterPrivateRoutes should throw 404 if url is tag rss', function () { + req.path = req.url = '/tag/slimer/rss/'; privateBlogging.filterPrivateRoutes(req, res, next); errorSpy.called.should.be.true; }); it('filterPrivateRoutes should throw 404 if url is rss plus something', function () { - req.url = '/rss/sometag'; + req.path = req.url = '/rss/sometag'; privateBlogging.filterPrivateRoutes(req, res, next); errorSpy.called.should.be.true; }); it('filterPrivateRoutes should render custom robots.txt', function () { - req.url = '/robots.txt'; + req.url = req.path = '/robots.txt'; res.writeHead = sinon.spy(); res.end = sinon.spy(); sandbox.stub(fs, 'readFile', function (file, cb) {