0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00

Merge pull request #6304 from halfdan/fix-6290

Disallow access to author/tag rss feeds if private blogging is on
This commit is contained in:
Hannah Wolfe 2016-01-11 14:04:19 +00:00
commit dfa74ffcd5
2 changed files with 27 additions and 6 deletions

View file

@ -49,7 +49,9 @@ privateBlogging = {
}
// take care of rss and sitemap 404s
if (req.url.lastIndexOf('/rss', 0) === 0 || req.url.lastIndexOf('/sitemap', 0) === 0) {
if (req.path.lastIndexOf('/rss/', 0) === 0 ||
req.path.lastIndexOf('/rss/') === req.url.length - 5 ||
(req.path.lastIndexOf('/sitemap', 0) === 0 && req.path.lastIndexOf('.xml') === req.path.length - 4)) {
return errors.error404(req, res, next);
} else if (req.url.lastIndexOf('/robots.txt', 0) === 0) {
fs.readFile(path.join(config.paths.corePath, 'shared', 'private-robots.txt'), function readFile(err, buf) {

View file

@ -114,31 +114,50 @@ describe('Private Blogging', function () {
});
it('filterPrivateRoutes should call next if is the "private" route', function () {
req.url = '/private/';
req.path = req.url = '/private/';
privateBlogging.filterPrivateRoutes(req, res, next);
next.called.should.be.true;
});
it('filterPrivateRoutes should throw 404 if url is sitemap', function () {
req.url = '/sitemap.xml';
req.path = req.url = '/sitemap.xml';
privateBlogging.filterPrivateRoutes(req, res, next);
errorSpy.called.should.be.true;
});
it('filterPrivateRoutes should throw 404 if url is sitemap with param', function () {
req.url = '/sitemap.xml?weird=param';
req.path = '/sitemap.xml';
privateBlogging.filterPrivateRoutes(req, res, next);
errorSpy.called.should.be.true;
});
it('filterPrivateRoutes should throw 404 if url is rss', function () {
req.url = '/rss';
req.path = req.url = '/rss/';
privateBlogging.filterPrivateRoutes(req, res, next);
errorSpy.called.should.be.true;
});
it('filterPrivateRoutes should throw 404 if url is author rss', function () {
req.path = req.url = '/author/halfdan/rss/';
privateBlogging.filterPrivateRoutes(req, res, next);
errorSpy.called.should.be.true;
});
it('filterPrivateRoutes should throw 404 if url is tag rss', function () {
req.path = req.url = '/tag/slimer/rss/';
privateBlogging.filterPrivateRoutes(req, res, next);
errorSpy.called.should.be.true;
});
it('filterPrivateRoutes should throw 404 if url is rss plus something', function () {
req.url = '/rss/sometag';
req.path = req.url = '/rss/sometag';
privateBlogging.filterPrivateRoutes(req, res, next);
errorSpy.called.should.be.true;
});
it('filterPrivateRoutes should render custom robots.txt', function () {
req.url = '/robots.txt';
req.url = req.path = '/robots.txt';
res.writeHead = sinon.spy();
res.end = sinon.spy();
sandbox.stub(fs, 'readFile', function (file, cb) {