Merge pull request #6304 from halfdan/fix-6290

Disallow access to author/tag rss feeds if private blogging is on
2025-01-20 22:42:53 -05:00 · 2016-01-11 14:04:19 +00:00 · 2016-01-11 14:04:19 +00:00 · dfa74ffcd5
commit dfa74ffcd5
parent 5e2523a305 8a16dd5d7e
2 changed files with 27 additions and 6 deletions
--- a/core/server/middleware/private-blogging.js
+++ b/core/server/middleware/private-blogging.js
@ -49,7 +49,9 @@ privateBlogging = {
        }

        // take care of rss and sitemap 404s
-        if (req.url.lastIndexOf('/rss', 0) === 0 || req.url.lastIndexOf('/sitemap', 0) === 0) {
+        if (req.path.lastIndexOf('/rss/', 0) === 0 ||
+            req.path.lastIndexOf('/rss/') === req.url.length - 5 ||
+            (req.path.lastIndexOf('/sitemap', 0) === 0 && req.path.lastIndexOf('.xml') === req.path.length - 4)) {
            return errors.error404(req, res, next);
        } else if (req.url.lastIndexOf('/robots.txt', 0) === 0) {
            fs.readFile(path.join(config.paths.corePath, 'shared', 'private-robots.txt'), function readFile(err, buf) {
--- a/core/test/unit/middleware/private-blogging_spec.js
+++ b/core/test/unit/middleware/private-blogging_spec.js
@ -114,31 +114,50 @@ describe('Private Blogging', function () {
            });

            it('filterPrivateRoutes should call next if is the "private" route', function () {
-                req.url = '/private/';
+                req.path = req.url = '/private/';
                privateBlogging.filterPrivateRoutes(req, res, next);
                next.called.should.be.true;
            });

            it('filterPrivateRoutes should throw 404 if url is sitemap', function () {
-                req.url = '/sitemap.xml';
+                req.path = req.url = '/sitemap.xml';
+                privateBlogging.filterPrivateRoutes(req, res, next);
+                errorSpy.called.should.be.true;
+            });
+
+            it('filterPrivateRoutes should throw 404 if url is sitemap with param', function () {
+                req.url = '/sitemap.xml?weird=param';
+                req.path = '/sitemap.xml';
                privateBlogging.filterPrivateRoutes(req, res, next);
                errorSpy.called.should.be.true;
            });

            it('filterPrivateRoutes should throw 404 if url is rss', function () {
-                req.url = '/rss';
+                req.path = req.url = '/rss/';
+                privateBlogging.filterPrivateRoutes(req, res, next);
+                errorSpy.called.should.be.true;
+            });
+
+            it('filterPrivateRoutes should throw 404 if url is author rss', function () {
+                req.path = req.url = '/author/halfdan/rss/';
+                privateBlogging.filterPrivateRoutes(req, res, next);
+                errorSpy.called.should.be.true;
+            });
+
+            it('filterPrivateRoutes should throw 404 if url is tag rss', function () {
+                req.path = req.url = '/tag/slimer/rss/';
                privateBlogging.filterPrivateRoutes(req, res, next);
                errorSpy.called.should.be.true;
            });

            it('filterPrivateRoutes should throw 404 if url is rss plus something', function () {
-                req.url = '/rss/sometag';
+                req.path = req.url = '/rss/sometag';
                privateBlogging.filterPrivateRoutes(req, res, next);
                errorSpy.called.should.be.true;
            });

            it('filterPrivateRoutes should render custom robots.txt', function () {
-                req.url = '/robots.txt';
+                req.url = req.path = '/robots.txt';
                res.writeHead = sinon.spy();
                res.end = sinon.spy();
                sandbox.stub(fs, 'readFile', function (file, cb) {