locomotivecms 3.3.0.rc2 → 3.3.0.rc3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/app/api/locomotive/api/entities/site_entity.rb +1 -1
- data/app/api/locomotive/api/forms/site_form.rb +1 -1
- data/app/api/locomotive/api/resources/current_site_resource.rb +1 -1
- data/app/helpers/locomotive/errors_helper.rb +1 -1
- data/lib/locomotive/carrierwave/asset.rb +2 -2
- data/lib/locomotive/carrierwave/patches.rb +8 -5
- data/lib/locomotive/version.rb +1 -1
- data/spec/fixtures/assets/magic_mime_type.js +1 -0
- data/spec/models/locomotive/theme_asset_spec.rb +13 -0
- data/spec/requests/locomotive/site_spec.rb +5 -0
- data/spec/requests/locomotive/steam/cache_spec.rb +1 -1
- data/vendor/assets/javascripts/locomotive/resizeImage.js +22 -10
- metadata +6 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d37da81dfb746c28ecdba02efef450619dcccd87
|
4
|
+
data.tar.gz: e82164ac57b58b259e95202bd6f68b8a7eab3097
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d30c1f7da8df089bee6a3081bcc41d6dee1f74fa57752d1aebbede70b9c2c2036bae21a0487bd1f213efad48549269d1b5c023fd2dfdebcbe293abba3ca3ce76
|
7
|
+
data.tar.gz: 91202542e10f83a06b221e33bcffb0b6030cb204e0eabb2e83cc6a174d77159f9fe0518b0ed0b15224e60f596e0181d769b589b3cfc0d3910ad34a39d79f5db3
|
data/Gemfile
CHANGED
@@ -24,7 +24,7 @@ group :development do
|
|
24
24
|
# gem 'locomotivecms_common', github: 'locomotivecms/common', ref: '257047b', require: false
|
25
25
|
|
26
26
|
# gem 'locomotivecms_steam', path: '../gems/steam', require: false
|
27
|
-
# gem 'locomotivecms_steam', github: 'locomotivecms/steam', ref: '
|
27
|
+
# gem 'locomotivecms_steam', github: 'locomotivecms/steam', ref: '87c8535', require: false
|
28
28
|
|
29
29
|
# gem 'locomotive_liquid', path: '../gems/liquid' # for Developers
|
30
30
|
# gem 'locomotivecms_solid', path: '../gems/solid' # for Developers
|
@@ -7,7 +7,7 @@ module Locomotive
|
|
7
7
|
expose :name, :handle, :seo_title, :meta_keywords, :meta_description,
|
8
8
|
:robots_txt, :cache_enabled, :private_access
|
9
9
|
|
10
|
-
expose :locales, :domains
|
10
|
+
expose :locales, :domains, :url_redirections
|
11
11
|
|
12
12
|
expose :memberships, using: MembershipEntity
|
13
13
|
|
@@ -4,7 +4,7 @@ module Locomotive
|
|
4
4
|
|
5
5
|
class SiteForm < BaseForm
|
6
6
|
|
7
|
-
attrs :name, :handle, :robots_txt, :locales, :domains, :timezone, :picture, :cache_enabled, :private_access, :password, :metafields_schema, :metafields, :metafields_ui
|
7
|
+
attrs :name, :handle, :robots_txt, :locales, :domains, :url_redirections, :timezone, :picture, :cache_enabled, :private_access, :password, :metafields_schema, :metafields, :metafields_ui
|
8
8
|
attrs :seo_title, :meta_keywords, :meta_description, localized: true
|
9
9
|
|
10
10
|
# Make sure locales and domains are in arrays.
|
@@ -27,7 +27,6 @@ module Locomotive
|
|
27
27
|
present current_site, with: entity_klass
|
28
28
|
end
|
29
29
|
|
30
|
-
|
31
30
|
desc 'Update current site'
|
32
31
|
params do
|
33
32
|
requires :site, type: Hash do
|
@@ -39,6 +38,7 @@ module Locomotive
|
|
39
38
|
optional :robots_txt
|
40
39
|
optional :locales, type: Array
|
41
40
|
optional :domains, type: Array
|
41
|
+
optional :url_redirections, type: Array
|
42
42
|
optional :timezone
|
43
43
|
optional :picture
|
44
44
|
optional :metafields_schema
|
@@ -32,9 +32,9 @@ module Locomotive
|
|
32
32
|
end
|
33
33
|
|
34
34
|
def set_content_type_of_model(*args)
|
35
|
-
content_type
|
35
|
+
content_type = file.content_type
|
36
36
|
|
37
|
-
if content_type.blank? || ['application/octet-stream'
|
37
|
+
if content_type.blank? || ['application/octet-stream'].include?(content_type)
|
38
38
|
content_type = File.mime_type?(original_filename)
|
39
39
|
end
|
40
40
|
|
@@ -20,13 +20,16 @@ module CarrierWave
|
|
20
20
|
|
21
21
|
class SanitizedFile
|
22
22
|
|
23
|
-
#
|
24
|
-
|
25
|
-
|
23
|
+
# do not rely on Carrierwave to get the mime type of an asset.
|
24
|
+
# The Carrierwave mime_magic_content_type method is too unpredictable.
|
25
|
+
# https://github.com/locomotivecms/engine/issues/1200
|
26
|
+
def content_type
|
27
|
+
@content_type ||=
|
28
|
+
existing_content_type ||
|
29
|
+
mime_types_content_type ||
|
30
|
+
mime_magic_content_type
|
26
31
|
end
|
27
32
|
|
28
|
-
alias_method_chain :content_type, :file_mime_type
|
29
|
-
|
30
33
|
end
|
31
34
|
|
32
35
|
module Uploader
|
data/lib/locomotive/version.rb
CHANGED
@@ -0,0 +1 @@
|
|
1
|
+
if (true) console.log('yeah!')
|
@@ -83,6 +83,7 @@ describe Locomotive::ThemeAsset do
|
|
83
83
|
|
84
84
|
end
|
85
85
|
|
86
|
+
|
86
87
|
it 'processes stylesheet' do
|
87
88
|
asset.source = FixturedAsset.open('main.css')
|
88
89
|
expect(asset.source.file.content_type).to_not eq(nil)
|
@@ -194,6 +195,18 @@ describe Locomotive::ThemeAsset do
|
|
194
195
|
|
195
196
|
end
|
196
197
|
|
198
|
+
describe '#content type' do
|
199
|
+
|
200
|
+
let(:source) { FixturedAsset.open('magic_mime_type.js') }
|
201
|
+
|
202
|
+
subject { asset.valid?; asset.content_type }
|
203
|
+
|
204
|
+
it "don't rely on the mime_magic_content_type method" do
|
205
|
+
is_expected.to eq(:javascript)
|
206
|
+
end
|
207
|
+
|
208
|
+
end
|
209
|
+
|
197
210
|
it_should_behave_like 'model scoped by a site' do
|
198
211
|
|
199
212
|
let(:model) { build(:theme_asset, source: FixturedAsset.open('5k.png')) }
|
@@ -27,6 +27,11 @@ describe Locomotive::Middlewares::Site do
|
|
27
27
|
it { expect(subject.first).to eq 404 }
|
28
28
|
it { expect(subject.last.body).to match(/Site not found \| Locomotive/) }
|
29
29
|
|
30
|
+
it 'has to escape the host to prevent XSS attacks (by setting the X-Forwarded-Host header)' do
|
31
|
+
allow_any_instance_of(ActionDispatch::Request).to receive(:host).and_return('<script>alert(1)</script>')
|
32
|
+
expect(subject.last.body).not_to include('<script>alert(1)</script>')
|
33
|
+
end
|
34
|
+
|
30
35
|
context 'default host' do
|
31
36
|
|
32
37
|
before { allow(Locomotive.config).to receive(:host).and_return('example.com') }
|
@@ -139,7 +139,7 @@
|
|
139
139
|
}
|
140
140
|
|
141
141
|
function resolveLanczos (self) {
|
142
|
-
var result = new Image()
|
142
|
+
var result = new Image();
|
143
143
|
|
144
144
|
result.onload = function () {
|
145
145
|
self.resultD.resolve(result)
|
@@ -149,15 +149,30 @@
|
|
149
149
|
self.resultD.reject(err)
|
150
150
|
}
|
151
151
|
|
152
|
+
result.crossOrigin = 'Anonymous';
|
152
153
|
result.src = self.canvas.toDataURL(self.type, self.quality)
|
153
154
|
}
|
154
155
|
|
155
156
|
// resize by stepping down
|
156
|
-
window.resizeImageStep = function
|
157
|
+
window.resizeImageStep = function(img, width, height, quality) {
|
158
|
+
var resultD = $.Deferred();
|
159
|
+
var _img = document.createElement('img');
|
160
|
+
|
161
|
+
_img.onload = function() {
|
162
|
+
window._resizeImageStep(_img, width, height, quality, resultD);
|
163
|
+
}
|
164
|
+
|
165
|
+
// prevent the browser to raise a security exception about
|
166
|
+
// a tainted canvas.
|
167
|
+
_img.setAttribute('crossOrigin','anonymous');
|
168
|
+
_img.src = img.getAttribute('src');
|
169
|
+
|
170
|
+
return resultD.promise();
|
171
|
+
}
|
172
|
+
|
173
|
+
window._resizeImageStep = function (img, width, height, quality, resultD) {
|
157
174
|
quality = quality || 1.0
|
158
175
|
|
159
|
-
// var resultD = $q.defer()
|
160
|
-
var resultD = $.Deferred()
|
161
176
|
var canvas = document.createElement( 'canvas' )
|
162
177
|
var context = getContext(canvas)
|
163
178
|
var type = "image/png"
|
@@ -166,12 +181,10 @@
|
|
166
181
|
var cH = img.naturalHeight
|
167
182
|
|
168
183
|
var dst = new Image()
|
184
|
+
dst.crossOrigin = 'Anonymous';
|
169
185
|
var tmp = null
|
170
186
|
|
171
|
-
|
172
|
-
//return resultD.promise
|
173
|
-
|
174
|
-
function stepDown () {
|
187
|
+
function stepDown() {
|
175
188
|
cW = Math.max(cW / 2, width) | 0
|
176
189
|
cH = Math.max(cH / 2, height) | 0
|
177
190
|
|
@@ -188,6 +201,7 @@
|
|
188
201
|
|
189
202
|
if (!tmp) {
|
190
203
|
tmp = new Image()
|
204
|
+
tmp.crossOrigin = 'Anonymous';
|
191
205
|
tmp.onload = stepDown
|
192
206
|
}
|
193
207
|
|
@@ -204,8 +218,6 @@
|
|
204
218
|
} else {
|
205
219
|
stepDown()
|
206
220
|
}
|
207
|
-
|
208
|
-
return resultD.promise()
|
209
221
|
}
|
210
222
|
|
211
223
|
function getContext (canvas) {
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: locomotivecms
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.3.0.
|
4
|
+
version: 3.3.0.rc3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Didier Lafforgue
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-06-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -156,14 +156,14 @@ dependencies:
|
|
156
156
|
requirements:
|
157
157
|
- - "~>"
|
158
158
|
- !ruby/object:Gem::Version
|
159
|
-
version: 1.3.0.
|
159
|
+
version: 1.3.0.rc2
|
160
160
|
type: :runtime
|
161
161
|
prerelease: false
|
162
162
|
version_requirements: !ruby/object:Gem::Requirement
|
163
163
|
requirements:
|
164
164
|
- - "~>"
|
165
165
|
- !ruby/object:Gem::Version
|
166
|
-
version: 1.3.0.
|
166
|
+
version: 1.3.0.rc2
|
167
167
|
- !ruby/object:Gem::Dependency
|
168
168
|
name: slim
|
169
169
|
requirement: !ruby/object:Gem::Requirement
|
@@ -1245,6 +1245,7 @@ files:
|
|
1245
1245
|
- spec/fixtures/assets/5k@2x.png
|
1246
1246
|
- spec/fixtures/assets/5k_2.png
|
1247
1247
|
- spec/fixtures/assets/application.js
|
1248
|
+
- spec/fixtures/assets/magic_mime_type.js
|
1248
1249
|
- spec/fixtures/assets/main.css
|
1249
1250
|
- spec/fixtures/assets/ruby_logo.svg
|
1250
1251
|
- spec/fixtures/assets/specs.pdf
|
@@ -1393,6 +1394,7 @@ test_files:
|
|
1393
1394
|
- spec/fixtures/assets/5k@2x.png
|
1394
1395
|
- spec/fixtures/assets/5k_2.png
|
1395
1396
|
- spec/fixtures/assets/application.js
|
1397
|
+
- spec/fixtures/assets/magic_mime_type.js
|
1396
1398
|
- spec/fixtures/assets/main.css
|
1397
1399
|
- spec/fixtures/assets/ruby_logo.svg
|
1398
1400
|
- spec/fixtures/assets/specs.pdf
|