alchemy_cms 7.4.9 → 7.4.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of alchemy_cms might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/alchemy_cms.gemspec +1 -1
- data/app/controllers/alchemy/admin/pages_controller.rb +2 -0
- data/app/helpers/alchemy/pages_helper.rb +1 -1
- data/app/models/alchemy/attachment.rb +5 -0
- data/app/models/alchemy/page/page_naming.rb +1 -0
- data/app/models/alchemy/picture.rb +5 -0
- data/app/models/alchemy/site/layout.rb +1 -0
- data/lib/alchemy/name_conversions.rb +6 -0
- data/lib/alchemy/version.rb +1 -1
- data/lib/tasks/alchemy/usage.rake +2 -0
- metadata +8 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6bad48bb119901cb52a788e4eff97309b416af2dc7e8a696b82b679f835df987
|
|
4
|
+
data.tar.gz: 06f164f3d85053c79f9af5c60e5bcaa8f8bb9398007ed02bf381ce3f192b7e1c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 37d2a38d099106c06f14914d8ed1e266b61d0ccb9efd50396e3dd8a9f824d0f802b2341152cd498450acec9643240d1d4f5edc51f735ebbd931edaddb2301996
|
|
7
|
+
data.tar.gz: d89e896f9a6a8584e302c41a7507abb59901f32bb5e1895368f4b9c5b52b541d7893dec7e9f13ebb8dd8ec96482139604b7955b84c1c132ca8ef015c74e52328
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,11 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 7.4.10 (2025-10-02)
|
|
4
|
+
|
|
5
|
+
- [7.4-stable] Fix admin page preview permissions [#3389](https://github.com/AlchemyCMS/alchemy_cms/pull/3389) ([alchemycms-bot](https://github.com/alchemycms-bot))
|
|
6
|
+
- [7.4] Sanititze filenames before upload [#3375](https://github.com/AlchemyCMS/alchemy_cms/pull/3375) ([tvdeyen](https://github.com/tvdeyen))
|
|
7
|
+
- [7.4] Allow importmap-rails v2.0 [#3374](https://github.com/AlchemyCMS/alchemy_cms/pull/3374) ([tvdeyen](https://github.com/tvdeyen))
|
|
8
|
+
|
|
3
9
|
## 7.4.9 (2025-09-04)
|
|
4
10
|
|
|
5
11
|
- [7.4-stable] Alchemy TinyMCE: Remove frontend presence validation [#3361](https://github.com/AlchemyCMS/alchemy_cms/pull/3361) ([alchemycms-bot](https://github.com/alchemycms-bot))
|
data/alchemy_cms.gemspec
CHANGED
|
@@ -40,7 +40,7 @@ Gem::Specification.new do |gem|
|
|
|
40
40
|
gem.add_runtime_dependency "dragonfly", ["~> 1.4"]
|
|
41
41
|
gem.add_runtime_dependency "dragonfly_svg", ["~> 0.0.4"]
|
|
42
42
|
gem.add_runtime_dependency "gutentag", ["~> 2.2", ">= 2.2.1"]
|
|
43
|
-
gem.add_runtime_dependency "importmap-rails", ["
|
|
43
|
+
gem.add_runtime_dependency "importmap-rails", [">= 1.2.1", "< 3.0"]
|
|
44
44
|
gem.add_runtime_dependency "kaminari", ["~> 1.1"]
|
|
45
45
|
gem.add_runtime_dependency "originator", ["~> 3.1"]
|
|
46
46
|
gem.add_runtime_dependency "ransack", [">= 1.8", "< 5.0"]
|
|
@@ -66,6 +66,8 @@ module Alchemy
|
|
|
66
66
|
# Used by page preview iframe in Page#edit view.
|
|
67
67
|
#
|
|
68
68
|
def show
|
|
69
|
+
authorize! :edit_content, @page
|
|
70
|
+
|
|
69
71
|
Current.preview_page = @page
|
|
70
72
|
# Setting the locale to pages language, so the page content has it's correct translations.
|
|
71
73
|
::I18n.locale = @page.language.locale
|
|
@@ -96,6 +96,7 @@ module Alchemy
|
|
|
96
96
|
message: Alchemy.t("not a valid file"),
|
|
97
97
|
unless: -> { self.class.allowed_filetypes.include?("*") }
|
|
98
98
|
|
|
99
|
+
before_save :sanitize_file_name
|
|
99
100
|
before_save :set_name, if: :file_name_changed?
|
|
100
101
|
|
|
101
102
|
scope :with_file_type, ->(file_type) { where(file_mime_type: file_type) }
|
|
@@ -156,6 +157,10 @@ module Alchemy
|
|
|
156
157
|
|
|
157
158
|
private
|
|
158
159
|
|
|
160
|
+
def sanitize_file_name
|
|
161
|
+
self.file_name = sanitized_filename(file_name)
|
|
162
|
+
end
|
|
163
|
+
|
|
159
164
|
def set_name
|
|
160
165
|
self.name = convert_to_humanized_name(file_name, file.ext)
|
|
161
166
|
end
|
|
@@ -94,6 +94,7 @@ module Alchemy
|
|
|
94
94
|
end
|
|
95
95
|
end
|
|
96
96
|
|
|
97
|
+
before_save :sanitize_image_file_name
|
|
97
98
|
# Create important thumbnails upfront
|
|
98
99
|
after_create -> { PictureThumb.generate_thumbs!(self) if has_convertible_format? }
|
|
99
100
|
|
|
@@ -312,5 +313,9 @@ module Alchemy
|
|
|
312
313
|
def image_file_dimensions
|
|
313
314
|
"#{image_file_width}x#{image_file_height}"
|
|
314
315
|
end
|
|
316
|
+
|
|
317
|
+
def sanitize_image_file_name
|
|
318
|
+
self.image_file_name = sanitized_filename(image_file_name)
|
|
319
|
+
end
|
|
315
320
|
end
|
|
316
321
|
end
|
|
@@ -22,5 +22,11 @@ module Alchemy
|
|
|
22
22
|
def convert_to_humanized_name(name, suffix)
|
|
23
23
|
name.gsub(/\.#{::Regexp.quote(suffix)}$/i, "").tr("_", " ").strip
|
|
24
24
|
end
|
|
25
|
+
|
|
26
|
+
# Sanitizes a given filename by removing directory traversal attempts and HTML entities.
|
|
27
|
+
def sanitized_filename(file_name)
|
|
28
|
+
file_name = File.basename(file_name)
|
|
29
|
+
CGI.escapeHTML(file_name)
|
|
30
|
+
end
|
|
25
31
|
end
|
|
26
32
|
end
|
data/lib/alchemy/version.rb
CHANGED
|
@@ -7,6 +7,7 @@ namespace :alchemy do
|
|
|
7
7
|
desc "List Alchemy elements usage"
|
|
8
8
|
task page_usage: :environment do
|
|
9
9
|
include ActionView::Helpers::NumberHelper
|
|
10
|
+
|
|
10
11
|
puts "\n Alchemy pages usage"
|
|
11
12
|
results = Alchemy::Tasks::Usage.pages_count_by_type
|
|
12
13
|
if results.any?
|
|
@@ -24,6 +25,7 @@ namespace :alchemy do
|
|
|
24
25
|
desc "List Alchemy elements usage"
|
|
25
26
|
task element_usage: :environment do
|
|
26
27
|
include ActionView::Helpers::NumberHelper
|
|
28
|
+
|
|
27
29
|
puts "\n Alchemy elements usage"
|
|
28
30
|
results = Alchemy::Tasks::Usage.elements_count_by_name
|
|
29
31
|
if results.any?
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: alchemy_cms
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.4.
|
|
4
|
+
version: 7.4.10
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Thomas von Deyen
|
|
@@ -314,22 +314,22 @@ dependencies:
|
|
|
314
314
|
name: importmap-rails
|
|
315
315
|
requirement: !ruby/object:Gem::Requirement
|
|
316
316
|
requirements:
|
|
317
|
-
- - "~>"
|
|
318
|
-
- !ruby/object:Gem::Version
|
|
319
|
-
version: '1.2'
|
|
320
317
|
- - ">="
|
|
321
318
|
- !ruby/object:Gem::Version
|
|
322
319
|
version: 1.2.1
|
|
320
|
+
- - "<"
|
|
321
|
+
- !ruby/object:Gem::Version
|
|
322
|
+
version: '3.0'
|
|
323
323
|
type: :runtime
|
|
324
324
|
prerelease: false
|
|
325
325
|
version_requirements: !ruby/object:Gem::Requirement
|
|
326
326
|
requirements:
|
|
327
|
-
- - "~>"
|
|
328
|
-
- !ruby/object:Gem::Version
|
|
329
|
-
version: '1.2'
|
|
330
327
|
- - ">="
|
|
331
328
|
- !ruby/object:Gem::Version
|
|
332
329
|
version: 1.2.1
|
|
330
|
+
- - "<"
|
|
331
|
+
- !ruby/object:Gem::Version
|
|
332
|
+
version: '3.0'
|
|
333
333
|
- !ruby/object:Gem::Dependency
|
|
334
334
|
name: kaminari
|
|
335
335
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -1409,7 +1409,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
1409
1409
|
version: '0'
|
|
1410
1410
|
requirements:
|
|
1411
1411
|
- ImageMagick (libmagick), v6.6 or greater.
|
|
1412
|
-
rubygems_version: 3.
|
|
1412
|
+
rubygems_version: 3.7.2
|
|
1413
1413
|
specification_version: 4
|
|
1414
1414
|
summary: A powerful, userfriendly and flexible CMS for Rails
|
|
1415
1415
|
test_files: []
|