gollum 3.1.1 → 3.1.2

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    OTUyOWExYzU5ZTQyNzFhMDdjZTgyYjk3MDlmYWY5MTM5YTM2ZGM3Zg==
-  data.tar.gz: !binary |-
-    MTIzYjg2ZmZiZmQwZWNlOWIzNGE2YzU2MDZkY2MwN2MxZmYwZjUxOA==
+SHA1:
+  metadata.gz: e43f23eb19c3070aec9fc7723537000b565289ea
+  data.tar.gz: e9451a5abaf169f6df0e9d3fda64654625cadaf8
 SHA512:
-  metadata.gz: !binary |-
-    MjNlYmFhZWI0MzcwNzkxMWZhYjBjMGY2NzVkYWYwMWE4M2U0YzcxZjM0ZmYz
-    NTAwYjQ5NjI5NDgzOGU4M2QyMDM3NjE3ZDdmMzFiNjBiOGY4NzNmYzAxY2Vi
-    Y2VmNTUzNmQxMGEwZmE5OWI5YzFhYTY5NTc0NzVmNGEwZGYyZjU=
-  data.tar.gz: !binary |-
-    MGFjZWFjODgwMmM0MDAxNWYwMzhlYjRkZTc4MWI2ODhlNjU0MDQzMDA5NGRh
-    ZTU3ODkwYmY2ZTM3NjFmYjkxOGYxY2RkYjExMDNiNzRjNWVhZTkwNWZiY2Rl
-    MGFmZjUyOTk5OTc4MTljNTc3OTI1ODdjMmNlODk3ZTY0NDIxNTQ=
+  metadata.gz: 8e57862aa0d272111c091e911541a5aa486c200cf26e9236e2a2c04f787a5e13ffa8deefcfcae131efd9042d5c1dac3611c1a72d5c6d9e20020f9e18c60a0b60
+  data.tar.gz: 8c1bafd8c1f889c447096481581d07e0da624797b4505cf2d8ec8405a2ae060df548557a7bf2c70dc5cf20db614396d3d7f86af78e3891b55665e72aebfee0b5

data/HISTORY.md

@@ -1,3 +1,7 @@
+# 3.1.1 /2014-12-04
+
+* Security fix for [remote code execution issue](https://github.com/gollum/gollum/issues/913). Please update!
+
 # 3.1 / 2014-11-28
 
 * New features

data/README.md

@@ -109,6 +109,7 @@ Options:
         --base-path [PATH]           Specify the base path for the served pages (default: /) Example: --base-path wiki yields the home page accessible at http://localhost:4567/wiki/.
         --gollum-path [PATH]         Specify the path to the git repository to be served.
         --ref [REF]                  Specify the repository ref to use (default: master).
+        --bare                       Specify that the repository is bare (only necessary when using the grit adapter).
         --no-edit                    Restricts editing capability through frontend.
         --no-live-preview            Disables livepreview.
         --live-preview               Enables livepreview.

data/bin/gollum

@@ -81,6 +81,10 @@ opts = OptionParser.new do |opts|
     wiki_options[:ref] = ref
   end
 
+  opts.on("--bare", "Specify that the repository is bare (only necessary when using the grit adapter).") do
+    wiki_options[:repo_is_bare] = true
+  end
+
   opts.on("--no-edit", "Restricts editing capability through frontend.")  do
     wiki_options[:allow_editing] = false
   end

data/gollum.gemspec

@@ -5,8 +5,8 @@ Gem::Specification.new do |s|
   s.required_ruby_version = '>= 1.9'
 
   s.name              = 'gollum'
-  s.version           = '3.1.1'
-  s.date              = '2014-12-04'
+  s.version           = '3.1.2'
+  s.date              = '2015-01-23'
   s.rubyforge_project = 'gollum'
   s.license           = 'MIT'
 

data/lib/gollum.rb

@@ -16,7 +16,7 @@ require File.expand_path('../gollum/uri_encode_component', __FILE__)
 $KCODE = 'U' if RUBY_VERSION[0, 3] == '1.8'
 
 module Gollum
-  VERSION = '3.1.1'
+  VERSION = '3.1.2'
 
   def self.assets_path
     ::File.expand_path('gollum/public', ::File.dirname(__FILE__))

data/lib/gollum/app.rb

@@ -22,6 +22,13 @@ Gollum::set_git_max_filesize(190 * 10**6)
 # Fix to_url
 class String
   alias :upstream_to_url :to_url
+
+  if defined?(Gollum::GIT_ADAPTER) && Gollum::GIT_ADAPTER != 'grit'
+    def to_ascii
+      self # Do not transliterate utf-8 url's unless using Grit
+    end
+  end
+  
   # _Header => header which causes errors
   def to_url
     return nil if self.nil?
@@ -95,7 +102,8 @@ module Precious
       @css = settings.wiki_options[:css]
       @js  = settings.wiki_options[:js]
       @mathjax_config = settings.wiki_options[:mathjax_config]
-      @allow_editing = settings.wiki_options.fetch(:allow_editing, true)
+      settings.wiki_options[:allow_editing] = settings.wiki_options.fetch(:allow_editing, true)
+      @allow_editing = settings.wiki_options[:allow_editing]
     end
 
     get '/' do
@@ -310,7 +318,7 @@ module Precious
         wiki.write_page(name, format, params[:content], commit_message, path)
 
         page_dir = settings.wiki_options[:page_file_dir].to_s
-        redirect to("/#{clean_url(::File.join(page_dir, path, name))}")
+        redirect to("/#{clean_url(::File.join(page_dir, path, encodeURIComponent(name)))}")
       rescue Gollum::DuplicatePageError => e
         @message = "Duplicate page: #{e.message}"
         mustache :error
@@ -372,7 +380,7 @@ module Precious
     end
     
     post '/compare/*' do
-      @file     = params[:splat].first
+      @file     = encodeURIComponent(params[:splat].first)
       @versions = params[:versions] || []
       if @versions.size < 2
         redirect to("/history/#{@file}")
@@ -443,6 +451,7 @@ module Precious
       wiki         = Gollum::Wiki.new(settings.gollum_path, wiki_options)
       @results     = wiki.pages
       @results     += wiki.files if settings.wiki_options[:show_all]
+      @results     = @results.sort_by { |p| p.name.downcase } # Sort Results alphabetically, fixes 922
       @ref         = wiki.ref
       mustache :pages
     end

data/lib/gollum/editing_auth.rb

@@ -7,7 +7,7 @@ module Precious
     def call(env)
       @env = env
       # Blocks all potentially editable pages. Use EditingAuth::whitelist_pages to unblock pages.
-      unless (env["REQUEST_METHOD"] == "GET") || App::settings.wiki_options[:allow_editing]
+      unless (env["REQUEST_METHOD"] == "GET") || @app.settings.wiki_options[:allow_editing]
         return block unless excluded_page?
       end
       @app.call(env)
@@ -31,4 +31,4 @@ module Precious
       return ["/compare/"]
     end
   end
-end
+end

data/lib/gollum/helpers.rb

@@ -39,7 +39,7 @@ module Precious
       url.gsub('%2F', '/').gsub(/^\/+/, '').gsub('//', '/')
     end
 
-    def forbid(msg = "Forbidden.")
+    def forbid(msg = "Forbidden. This wiki is set to no-edit mode.")
       @message = msg
       status 403
       halt mustache :error

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gollum
 version: !ruby/object:Gem::Version
-  version: 3.1.1
+  version: 3.1.2
 platform: ruby
 authors:
 - Tom Preston-Werner
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-04 00:00:00.000000000 Z
+date: 2015-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gollum-lib
@@ -18,7 +18,7 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '4.0'
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 4.0.1
   type: :runtime
@@ -28,7 +28,7 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '4.0'
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 4.0.1
 - !ruby/object:Gem::Dependency
@@ -52,7 +52,7 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.4'
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 1.4.4
   type: :runtime
@@ -62,14 +62,14 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.4'
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 1.4.4
 - !ruby/object:Gem::Dependency
   name: mustache
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 0.99.5
     - - <
@@ -79,7 +79,7 @@ dependencies:
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 0.99.5
     - - <
@@ -695,17 +695,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '1.9'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: gollum
-rubygems_version: 2.4.1
+rubygems_version: 2.0.0
 signing_key: 
 specification_version: 2
 summary: A simple, Git-powered wiki.