locomotivecms 3.3.0.rc2 → 3.3.0.rc3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0e9f4f8edfefcd83de371071e2fa02fd7d64e1b1
-  data.tar.gz: b8f8065113b1588275132a2dc46f7cf7bc878437
+  metadata.gz: d37da81dfb746c28ecdba02efef450619dcccd87
+  data.tar.gz: e82164ac57b58b259e95202bd6f68b8a7eab3097
 SHA512:
-  metadata.gz: be0f754bc93350ecc01ab1bfdc312095b809a1ec02d9583c2c894165a213dc548c08fb5b23e07f6d095d8aef384112d528e3fc6a9cd38c3c328df957d27ce854
-  data.tar.gz: 1778764e6e160a64b4464afa58db5f93b97d2195d60c1af5b34ef67174a297b3809033d05e9ea71a0110037250196e7d2526309b2b3c93e35a641be34b592fc7
+  metadata.gz: d30c1f7da8df089bee6a3081bcc41d6dee1f74fa57752d1aebbede70b9c2c2036bae21a0487bd1f213efad48549269d1b5c023fd2dfdebcbe293abba3ca3ce76
+  data.tar.gz: 91202542e10f83a06b221e33bcffb0b6030cb204e0eabb2e83cc6a174d77159f9fe0518b0ed0b15224e60f596e0181d769b589b3cfc0d3910ad34a39d79f5db3

data/Gemfile

@@ -24,7 +24,7 @@ group :development do
   # gem 'locomotivecms_common', github: 'locomotivecms/common', ref: '257047b', require: false
 
   # gem 'locomotivecms_steam', path: '../gems/steam', require: false
-  # gem 'locomotivecms_steam', github: 'locomotivecms/steam', ref: 'e624ab686', require: false
+  # gem 'locomotivecms_steam', github: 'locomotivecms/steam', ref: '87c8535', require: false
 
   # gem 'locomotive_liquid', path: '../gems/liquid' # for Developers
   # gem 'locomotivecms_solid', path: '../gems/solid' # for Developers

data/app/api/locomotive/api/entities/site_entity.rb

@@ -7,7 +7,7 @@ module Locomotive
         expose    :name, :handle, :seo_title, :meta_keywords, :meta_description,
                   :robots_txt, :cache_enabled, :private_access
 
-        expose :locales, :domains
+        expose :locales, :domains, :url_redirections
 
         expose :memberships, using: MembershipEntity
 

data/app/api/locomotive/api/forms/site_form.rb

@@ -4,7 +4,7 @@ module Locomotive
 
       class SiteForm < BaseForm
 
-        attrs :name, :handle, :robots_txt, :locales, :domains, :timezone, :picture, :cache_enabled, :private_access, :password, :metafields_schema, :metafields, :metafields_ui
+        attrs :name, :handle, :robots_txt, :locales, :domains, :url_redirections, :timezone, :picture, :cache_enabled, :private_access, :password, :metafields_schema, :metafields, :metafields_ui
         attrs :seo_title, :meta_keywords, :meta_description, localized: true
 
         # Make sure locales and domains are in arrays.

data/app/api/locomotive/api/resources/current_site_resource.rb

@@ -27,7 +27,6 @@ module Locomotive
             present current_site, with: entity_klass
           end
 
-
           desc 'Update current site'
           params do
             requires :site, type: Hash do
@@ -39,6 +38,7 @@ module Locomotive
               optional :robots_txt
               optional :locales, type: Array
               optional :domains, type: Array
+              optional :url_redirections, type: Array
               optional :timezone
               optional :picture
               optional :metafields_schema

data/app/helpers/locomotive/errors_helper.rb

@@ -16,7 +16,7 @@ module Locomotive
     end
 
     def no_site_message(error_type)
-      t(error_type, host: request.host, scope: 'locomotive.errors.no_site.message')
+      t(error_type, host: h(request.host), scope: 'locomotive.errors.no_site.message')
     end
 
   end

data/lib/locomotive/carrierwave/asset.rb

@@ -32,9 +32,9 @@ module Locomotive
         end
 
         def set_content_type_of_model(*args)
-          content_type  = file.content_type
+          content_type = file.content_type
 
-          if content_type.blank? || ['application/octet-stream', 'text/x-csrc'].include?(content_type)
+          if content_type.blank? || ['application/octet-stream'].include?(content_type)
             content_type = File.mime_type?(original_filename)
           end
 

data/lib/locomotive/carrierwave/patches.rb

@@ -20,13 +20,16 @@ module CarrierWave
 
   class SanitizedFile
 
-    # FIXME (Did) CarrierWave speaks mime type now
-    def content_type_with_file_mime_type
-      content_type_without_file_mime_type || File.mime_type?(original_filename)
+    # do not rely on Carrierwave to get the mime type of an asset.
+    # The Carrierwave mime_magic_content_type method is too unpredictable.
+    # https://github.com/locomotivecms/engine/issues/1200
+    def content_type
+      @content_type ||=
+        existing_content_type ||
+        mime_types_content_type ||
+        mime_magic_content_type
     end
 
-    alias_method_chain :content_type, :file_mime_type
-
   end
 
   module Uploader

data/lib/locomotive/version.rb

@@ -2,5 +2,5 @@
 # MAJOR.MINOR.PATCH format.
 # 1.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta < 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0
 module Locomotive #:nodoc
-  VERSION = '3.3.0.rc2'
+  VERSION = '3.3.0.rc3'
 end

data/spec/fixtures/assets/magic_mime_type.js

@@ -0,0 +1 @@
+if (true) console.log('yeah!')

data/spec/models/locomotive/theme_asset_spec.rb

@@ -83,6 +83,7 @@ describe Locomotive::ThemeAsset do
 
     end
 
+
     it 'processes stylesheet' do
       asset.source = FixturedAsset.open('main.css')
       expect(asset.source.file.content_type).to_not eq(nil)
@@ -194,6 +195,18 @@ describe Locomotive::ThemeAsset do
 
   end
 
+  describe '#content type' do
+
+    let(:source) { FixturedAsset.open('magic_mime_type.js') }
+
+    subject { asset.valid?; asset.content_type }
+
+    it "don't rely on the mime_magic_content_type method" do
+      is_expected.to eq(:javascript)
+    end
+
+  end
+
   it_should_behave_like 'model scoped by a site' do
 
     let(:model)     { build(:theme_asset, source: FixturedAsset.open('5k.png')) }

data/spec/requests/locomotive/site_spec.rb

@@ -27,6 +27,11 @@ describe Locomotive::Middlewares::Site do
       it { expect(subject.first).to eq 404 }
       it { expect(subject.last.body).to match(/Site not found \| Locomotive/) }
 
+      it 'has to escape the host to prevent XSS attacks (by setting the X-Forwarded-Host header)' do
+        allow_any_instance_of(ActionDispatch::Request).to receive(:host).and_return('<script>alert(1)</script>')
+        expect(subject.last.body).not_to include('<script>alert(1)</script>')
+      end
+
       context 'default host' do
 
         before { allow(Locomotive.config).to receive(:host).and_return('example.com') }

data/spec/requests/locomotive/steam/cache_spec.rb

@@ -40,7 +40,7 @@ describe Locomotive::Steam::Middlewares::Cache do
 
     subject { middleware.send(:cache_key, steam_env) }
 
-    it { expect(subject).to eq '6f10bd02e43a99e1bef1223da0e266ec' }
+    it { expect(subject).to eq 'e86d1e803b59f9eeeca84cce457808e3' }
 
   end
 

data/vendor/assets/javascripts/locomotive/resizeImage.js

@@ -139,7 +139,7 @@
   }
 
   function resolveLanczos (self) {
-    var result = new Image()
+    var result = new Image();
 
     result.onload = function () {
       self.resultD.resolve(result)
@@ -149,15 +149,30 @@
       self.resultD.reject(err)
     }
 
+    result.crossOrigin = 'Anonymous';
     result.src = self.canvas.toDataURL(self.type, self.quality)
   }
 
   // resize by stepping down
-  window.resizeImageStep = function (img, width, height, quality) {
+  window.resizeImageStep = function(img, width, height, quality) {
+    var resultD = $.Deferred();
+    var _img = document.createElement('img');
+
+    _img.onload = function() {
+      window._resizeImageStep(_img, width, height, quality, resultD);
+    }
+
+    // prevent the browser to raise a security exception about
+    // a tainted canvas.
+    _img.setAttribute('crossOrigin','anonymous');
+    _img.src = img.getAttribute('src');
+
+    return resultD.promise();
+  }
+
+  window._resizeImageStep = function (img, width, height, quality, resultD) {
     quality = quality || 1.0
 
-    // var resultD = $q.defer()
-    var resultD = $.Deferred()
     var canvas  = document.createElement( 'canvas' )
     var context = getContext(canvas)
     var type = "image/png"
@@ -166,12 +181,10 @@
     var cH = img.naturalHeight
 
     var dst = new Image()
+    dst.crossOrigin = 'Anonymous';
     var tmp = null
 
-    //resultD.resolve(img)
-    //return resultD.promise
-
-    function stepDown () {
+    function stepDown() {
       cW = Math.max(cW / 2, width) | 0
       cH = Math.max(cH / 2, height) | 0
 
@@ -188,6 +201,7 @@
 
       if (!tmp) {
         tmp = new Image()
+        tmp.crossOrigin = 'Anonymous';
         tmp.onload = stepDown
       }
 
@@ -204,8 +218,6 @@
     } else {
       stepDown()
     }
-
-    return resultD.promise()
   }
 
   function getContext (canvas) {

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: locomotivecms
 version: !ruby/object:Gem::Version
-  version: 3.3.0.rc2
+  version: 3.3.0.rc3
 platform: ruby
 authors:
 - Didier Lafforgue
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-22 00:00:00.000000000 Z
+date: 2017-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -156,14 +156,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.0.rc1
+        version: 1.3.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.0.rc1
+        version: 1.3.0.rc2
 - !ruby/object:Gem::Dependency
   name: slim
   requirement: !ruby/object:Gem::Requirement
@@ -1245,6 +1245,7 @@ files:
 - spec/fixtures/assets/5k@2x.png
 - spec/fixtures/assets/5k_2.png
 - spec/fixtures/assets/application.js
+- spec/fixtures/assets/magic_mime_type.js
 - spec/fixtures/assets/main.css
 - spec/fixtures/assets/ruby_logo.svg
 - spec/fixtures/assets/specs.pdf
@@ -1393,6 +1394,7 @@ test_files:
 - spec/fixtures/assets/5k@2x.png
 - spec/fixtures/assets/5k_2.png
 - spec/fixtures/assets/application.js
+- spec/fixtures/assets/magic_mime_type.js
 - spec/fixtures/assets/main.css
 - spec/fixtures/assets/ruby_logo.svg
 - spec/fixtures/assets/specs.pdf