RubyGems - alchemy_cms - Versions diffs - 7.4.9 → 7.4.11 - Mend

alchemy_cms 7.4.9 → 7.4.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -0
data/alchemy_cms.gemspec +1 -1
data/app/controllers/alchemy/admin/pages_controller.rb +2 -0
data/app/decorators/alchemy/ingredient_editor.rb +9 -1
data/app/helpers/alchemy/pages_helper.rb +1 -1
data/app/models/alchemy/attachment.rb +5 -0
data/app/models/alchemy/page/page_naming.rb +1 -0
data/app/models/alchemy/picture.rb +5 -0
data/app/models/alchemy/site/layout.rb +1 -0
data/lib/alchemy/name_conversions.rb +6 -0
data/lib/alchemy/version.rb +1 -1
data/lib/tasks/alchemy/usage.rake +2 -0
metadata +7 -7

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 599bd5102e32131bf2e09816138effbe10a42f7a566b20d546daa5b9d10d6005
-  data.tar.gz: ad5ae57a1ca11863b2467fa36fc4f87289b077e652e2de6b1e039f085255adf2
+  metadata.gz: 52b2d590102b1bce5b74aa747fdba21f2787e9d7e0c52683f1015b031a1c2a95
+  data.tar.gz: f6d443d39b565b16749840b5e4fd96008dc3121625dda35c00383fe1fc120547
 SHA512:
-  metadata.gz: 2271fbba51fd74d0019764845a54a892ed896276a57c516b2b2261d6bc00ab02c2c13f4f71e02cd1b227f4a94ed08b262b72f0fac08dcadb114499e6a9021ffa
-  data.tar.gz: c1ddedb6f0fc7d326b34ef88042aa505c4e6a882c0984a7fb728ae1d795d90f3ec16b6b8e00da450d70ef6f70576ab20f8bdc29224867f29ffd8a86c92d97982
+  metadata.gz: 1a17e8da83f93f6119043c33551ff650cad6b406df35cd0d3d94c7f2d39c0b091280f88ca12b13860aa81dd951115a4d331ffa9397a621359d73c926a4f74882
+  data.tar.gz: 49f824b5f3b5ebb98b902e2fd9aac50c1f4449ae2d0b455f4dc897f4b1887edb570c6f5cbc74c6a9b4739c2f7047f4ede2bd9c826fad4bdc2d73abab8cacb208

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,16 @@
 # Changelog
+## 7.4.11 (2025-10-27)
+- [7.4-stable] Only sanitize filenames if not nil [#3437](https://github.com/AlchemyCMS/alchemy_cms/pull/3437) ([tvdeyen](https://github.com/tvdeyen))
+- [7.4-stable] Fix elements-editor format validations [#3432](https://github.com/AlchemyCMS/alchemy_cms/pull/3432) ([alchemycms-bot](https://github.com/alchemycms-bot))
+## 7.4.10 (2025-10-02)
+- [7.4-stable] Fix admin page preview permissions [#3389](https://github.com/AlchemyCMS/alchemy_cms/pull/3389) ([alchemycms-bot](https://github.com/alchemycms-bot))
+- [7.4] Sanititze filenames before upload [#3375](https://github.com/AlchemyCMS/alchemy_cms/pull/3375) ([tvdeyen](https://github.com/tvdeyen))
+- [7.4] Allow importmap-rails v2.0 [#3374](https://github.com/AlchemyCMS/alchemy_cms/pull/3374) ([tvdeyen](https://github.com/tvdeyen))
 ## 7.4.9 (2025-09-04)
 - [7.4-stable] Alchemy TinyMCE: Remove frontend presence validation [#3361](https://github.com/AlchemyCMS/alchemy_cms/pull/3361) ([alchemycms-bot](https://github.com/alchemycms-bot))

data/alchemy_cms.gemspec CHANGED Viewed

@@ -40,7 +40,7 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency "dragonfly", ["~> 1.4"]
   gem.add_runtime_dependency "dragonfly_svg", ["~> 0.0.4"]
   gem.add_runtime_dependency "gutentag", ["~> 2.2", ">= 2.2.1"]
-  gem.add_runtime_dependency "importmap-rails", ["~> 1.2", ">= 1.2.1"]
+  gem.add_runtime_dependency "importmap-rails", [">= 1.2.1", "< 3.0"]
   gem.add_runtime_dependency "kaminari", ["~> 1.1"]
   gem.add_runtime_dependency "originator", ["~> 3.1"]
   gem.add_runtime_dependency "ransack", [">= 1.8", "< 5.0"]

data/app/controllers/alchemy/admin/pages_controller.rb CHANGED Viewed

@@ -66,6 +66,8 @@ module Alchemy
       # Used by page preview iframe in Page#edit view.
       #
       def show
+        authorize! :edit_content, @page
         Current.preview_page = @page
         # Setting the locale to pages language, so the page content has it's correct translations.
         ::I18n.locale = @page.language.locale

data/app/decorators/alchemy/ingredient_editor.rb CHANGED Viewed

@@ -158,7 +158,15 @@ module Alchemy
     end
     def format_validation
-      validations.select { _1.is_a?(Hash) }.find { _1[:format] }&.fetch(:format)
+      format = validations.select { _1.is_a?(Hash) }.find { _1[:format] }&.fetch(:format)
+      return nil unless format
+      # If format is a string or symbol, resolve it from config format_matchers
+      if format.is_a?(String) || format.is_a?(Symbol)
+        Alchemy::Config.get(:format_matchers)[format.to_sym]
+      else
+        format
+      end
     end
     def length_validation

data/app/helpers/alchemy/pages_helper.rb CHANGED Viewed

@@ -163,7 +163,7 @@ module Alchemy
     end
     def meta_robots
-      "#{@page.robot_index? ? "" : "no"}index, #{@page.robot_follow? ? "" : "no"}follow"
+      "#{"no" unless @page.robot_index?}index, #{"no" unless @page.robot_follow?}follow"
     end
     private

data/app/models/alchemy/attachment.rb CHANGED Viewed

@@ -96,6 +96,7 @@ module Alchemy
       message: Alchemy.t("not a valid file"),
       unless: -> { self.class.allowed_filetypes.include?("*") }
+    before_save :sanitize_file_name, if: :file_name
     before_save :set_name, if: :file_name_changed?
     scope :with_file_type, ->(file_type) { where(file_mime_type: file_type) }
@@ -156,6 +157,10 @@ module Alchemy
     private
+    def sanitize_file_name
+      self.file_name = sanitized_filename(file_name)
+    end
     def set_name
       self.name = convert_to_humanized_name(file_name, file.ext)
     end

data/app/models/alchemy/page/page_naming.rb CHANGED Viewed

@@ -5,6 +5,7 @@ module Alchemy
     module PageNaming
       extend ActiveSupport::Concern
       include NameConversions
       RESERVED_URLNAMES = %w[admin messages new]
       included do

data/app/models/alchemy/picture.rb CHANGED Viewed

@@ -94,6 +94,7 @@ module Alchemy
       end
     end
+    before_save :sanitize_image_file_name, if: :image_file_name
     # Create important thumbnails upfront
     after_create -> { PictureThumb.generate_thumbs!(self) if has_convertible_format? }
@@ -312,5 +313,9 @@ module Alchemy
     def image_file_dimensions
       "#{image_file_width}x#{image_file_height}"
     end
+    def sanitize_image_file_name
+      self.image_file_name = sanitized_filename(image_file_name)
+    end
   end
 end

data/app/models/alchemy/site/layout.rb CHANGED Viewed

@@ -3,6 +3,7 @@
 module Alchemy
   module Site::Layout
     extend ActiveSupport::Concern
     SITE_DEFINITIONS_FILE = Rails.root.join("config/alchemy/site_layouts.yml")
     module ClassMethods

data/lib/alchemy/name_conversions.rb CHANGED Viewed

@@ -22,5 +22,11 @@ module Alchemy
     def convert_to_humanized_name(name, suffix)
       name.gsub(/\.#{::Regexp.quote(suffix)}$/i, "").tr("_", " ").strip
     end
+    # Sanitizes a given filename by removing directory traversal attempts and HTML entities.
+    def sanitized_filename(file_name)
+      file_name = File.basename(file_name)
+      CGI.escapeHTML(file_name)
+    end
   end
 end

data/lib/alchemy/version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module Alchemy
-  VERSION = "7.4.9"
+  VERSION = "7.4.11"
   def self.version
     VERSION

data/lib/tasks/alchemy/usage.rake CHANGED Viewed

@@ -7,6 +7,7 @@ namespace :alchemy do
   desc "List Alchemy elements usage"
   task page_usage: :environment do
     include ActionView::Helpers::NumberHelper
     puts "\n  Alchemy pages usage"
     results = Alchemy::Tasks::Usage.pages_count_by_type
     if results.any?
@@ -24,6 +25,7 @@ namespace :alchemy do
   desc "List Alchemy elements usage"
   task element_usage: :environment do
     include ActionView::Helpers::NumberHelper
     puts "\n  Alchemy elements usage"
     results = Alchemy::Tasks::Usage.elements_count_by_name
     if results.any?

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: alchemy_cms
 version: !ruby/object:Gem::Version
-  version: 7.4.9
+  version: 7.4.11
 platform: ruby
 authors:
 - Thomas von Deyen
@@ -314,22 +314,22 @@ dependencies:
   name: importmap-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.2'
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.2.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.2'
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.2.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: kaminari
   requirement: !ruby/object:Gem::Requirement