publify_core 9.2.1 → 9.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4b54212d5fc4e4291890a1aa527561a41dc19ad64d58841c0407e14f9e6ccebc
-  data.tar.gz: 7ebc8493ba977031d7ebcb3ac4a659fcf248d419a97ee09418a618eb29cee2dc
+  metadata.gz: 8598a2b44749716a7bf3f75ab494ff6ba4ef327f29d6606ed3fd21ccce7df918
+  data.tar.gz: b3f58570a4180cb07bfa2852d3bf0c10160feb9f14039875d6e5182fbb56a368
 SHA512:
-  metadata.gz: 8a16d3eeec887dec33e6733d7eab215f1677e808dcecde23ab7b4a8c8b65df748a71bdfe74312e491c48183b18ea0814aa859ca4ba3971303f652ef5adca9846
-  data.tar.gz: 53d08aac3318179a27a067755546f88b80fc24555fcff1d4d4c76aad7b2b4284d2dad3cb246858e929781bce8fee1c608b922d8f2c017b1c7729c0d547bfe912
+  metadata.gz: 5ceafbc0b711d3c0d113e61e9339c9175b6cf18afb08fded9321148d2b3b7ddf1809a9de8de0428f5364820d15de19a58a4b0a811018e6cc210357ccb49e868f
+  data.tar.gz: 7e476032ad37744aee63a7f746c81f020684857fedd43ff6468648ce1133280fd3efc7b78bea560ffd69d34b250dc120e05c767a44361eb376d91de54ecd2c35

data/CHANGELOG.md

@@ -1,5 +1,35 @@
 # Changelog
 
+## 9.2.5 / 2021-10-11
+
+This release fixes several security issues:
+
+* Block ability to switch themes using a GET request; use a POST instead
+* Disallow user self-registration rather than hiding it
+* Let the browser not cache admin pages
+* Limit the set of allowed mime types for uploaded media
+* Limit allowed HTML in articles, pages and notes
+
+Additionally, it includes the following changes:
+
+* Fix resource size display in admin resource list
+* Trigger download of media in the Media Library in admin instead of displaying
+  them directly
+
+## 9.2.4 / 2021-10-02
+
+* Explicitly require at least version 1.12.5 of nokogiri to avoid a security issue
+* Drop support for Ruby 2.4 since it is incompatible with nokogiri 1.12.5
+
+## 9.2.3 / 2021-05-22
+
+* Bump Rails dependency to 5.2.6
+* Replace mimemagic with marcel
+
+## 9.2.2 / 2021-03-21
+
+* No changes
+
 ## 9.2.1 / 2021-03-20
 
 * No changes

data/app/controllers/admin/base_controller.rb

@@ -10,6 +10,7 @@ class Admin::BaseController < BaseController
   layout "administration"
 
   before_action :login_required, except: [:login, :signup]
+  before_action :no_caching
 
   private
 
@@ -24,4 +25,9 @@ class Admin::BaseController < BaseController
                             name: controller_name.humanize)
     redirect_to action: "index"
   end
+
+  def no_caching
+    response.cache_control[:extras] =
+      ["no-cache", "max-age=0", "must-revalidate", "no-store"]
+  end
 end

data/app/controllers/users/registrations_controller.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class Users::RegistrationsController < Devise::RegistrationsController
+  include BlogHelper
+  before_action :require_signup_allowed
+
+  private
+
+  def require_signup_allowed
+    render plain: "Not found", status: :not_found unless this_blog.allow_signup?
+  end
+end

data/app/helpers/base_helper.rb

@@ -240,10 +240,15 @@ module BaseHelper
   end
 
   def nofollowify_links(string)
+    raise ArgumentError, "string", "must be html_safe" unless string.html_safe?
+
     if this_blog.dofollowify
       string
     else
-      string.gsub(/<a(.*?)>/i, '<a\1 rel="nofollow">')
+      followify_scrubber = Loofah::Scrubber.new do |node|
+        node.set_attribute "rel", "nofollow" if node.name == "a"
+      end
+      sanitize h(string), scrubber: followify_scrubber
     end
   end
 

data/app/models/article.rb

@@ -225,10 +225,6 @@ class Article < Content
       published_at.to_i > blog.sp_article_auto_close.days.ago.to_i
   end
 
-  def content_fields
-    [:body, :extended]
-  end
-
   # The web interface no longer distinguishes between separate "body" and
   # "extended" fields, and instead edits everything in a single edit field,
   # separating the extended content using "\<!--more-->".

data/app/models/comment.rb

@@ -50,8 +50,4 @@ class Comment < Feedback
   def originator
     author
   end
-
-  def content_fields
-    [:body]
-  end
 end

data/app/models/content_base.rb

@@ -5,6 +5,12 @@ module ContentBase
     base.extend ClassMethods
   end
 
+  class ContentTextHelpers
+    include ActionView::Helpers::UrlHelper
+    include ActionView::Helpers::TextHelper
+    include ActionView::Helpers::SanitizeHelper
+  end
+
   attr_accessor :just_changed_published_status
   alias just_changed_published_status? just_changed_published_status
 
@@ -26,7 +32,7 @@ module ContentBase
     elsif html_map(field)
       generate_html(field)
     else
-      raise "Unknown field: #{field.inspect} in content.html"
+      raise ArgumentError, "Field #{field.inspect} is not valid for #{self.class}"
     end
   end
 
@@ -39,10 +45,10 @@ module ContentBase
     html_postprocess(field, html).to_s
   end
 
-  # Post-process the HTML.  This is a noop by default, but Comment overrides it
-  # to enforce HTML sanity.
+  # Post-process the HTML
   def html_postprocess(_field, html)
-    html
+    helper = ContentTextHelpers.new
+    helper.sanitize html
   end
 
   def html_preprocess(_field, html)

data/app/models/feedback.rb

@@ -11,12 +11,6 @@ class Feedback < ApplicationRecord
   include PublifyGuid
   include ContentBase
 
-  class ContentTextHelpers
-    include ActionView::Helpers::UrlHelper
-    include ActionView::Helpers::TextHelper
-    include ActionView::Helpers::SanitizeHelper
-  end
-
   validate :feedback_not_closed, on: :create
   validates :article, presence: true
 

data/app/uploaders/resource_uploader.rb

@@ -1,11 +1,15 @@
 # frozen_string_literal: true
 
-require "mimemagic"
+require "marcel"
 
 class ResourceUploader < CarrierWave::Uploader::Base
   include CarrierWave::MiniMagick
   before :cache, :check_image_content_type!
 
+  def content_type_allowlist
+    [%r{image/}, %r{audio/}, %r{video/}, "text/plain"]
+  end
+
   def store_dir
     "files/#{model.class.to_s.underscore}/#{model.id}"
   end
@@ -50,14 +54,9 @@ class ResourceUploader < CarrierWave::Uploader::Base
     content_type = nil
 
     File.open(new_file.path) do |fd|
-      content_type = MimeMagic.by_magic(fd).try(:type)
+      content_type = Marcel::MimeType.for(fd)
     end
 
     content_type
   end
-
-  # NOTE: This method was copied from MagicMimeBlacklist from CarrierWave 1.0.0.
-  def filemagic
-    @filemagic ||= FileMagic.new(FileMagic::MAGIC_MIME_TYPE)
-  end
 end

data/app/views/admin/resources/index.html.erb

@@ -33,38 +33,34 @@
     </tr>
   <% end %>
 
-  <% for upload in @resources %>
+  <% for resource in @resources %>
   <tr>
     <td>
-      <% if upload.mime =~ /image/ %>
-      <a href="<%= upload.upload.medium.url %>" data-toggle="lightbox">
-        <%= image_tag(upload.upload.thumb.url) %>
-      </a>
+      <% if resource.mime =~ /image/ %>
+        <a href="<%= resource.upload.medium.url %>" data-toggle="lightbox">
+          <%= image_tag(resource.upload.thumb.url) %>
+        </a>
       <% else %>
-      <%= link_to(upload.upload_url, upload.upload_url) %>
+        <%= link_to(resource.upload_url, resource.upload_url, download: resource.upload.identifier) %>
       <% end %>
       <p>
         <small>
-          <% if upload.mime =~ /image/ %>
-            <%= link_to(t('.thumbnail'), upload.upload.thumb.url) %> |
-            <%= link_to(t('.medium_size'), upload.upload.medium.url) %> |
-            <%= link_to(t('.original_size'), upload.upload.url) %> |
+          <% if resource.mime =~ /image/ %>
+            <%= link_to(t('.thumbnail'), resource.upload.thumb.url) %> |
+            <%= link_to(t('.medium_size'), resource.upload.medium.url) %> |
+            <%= link_to(t('.original_size'), resource.upload.url) %> |
           <% end %>
           <%= link_to(t('.delete'),
-                      { action: 'destroy', id: upload.id, search: params[:search], page: params[:page] },
+                      { action: 'destroy', id: resource.id, search: params[:search], page: params[:page] },
                       { confirm: t('.are_you_sure'), method: :delete }) %>
         </small>
       </p>
     </td>
     <td>
-      <%= upload.mime %>
+      <%= resource.mime %>
     </td>
-    <td><%= begin
-              h upload.size
-            rescue StandardError
-              0
-            end %> bytes</td>
-    <td><%= l(upload.created_at, format: :short) %></td>
+    <td><%= resource.upload.size %> bytes</td>
+    <td><%= l(resource.created_at, format: :short) %></td>
   </tr>
   <% end %>
   <%= display_pagination(@resources, 6) %>

data/app/views/admin/themes/index.html.erb

@@ -16,10 +16,10 @@
       </div>
     <% else %>
       <div>
-        <h3><%= link_to(theme.name, switch_url, title: t('.use_this_theme')) %></h3>
-        <%= link_to(image_tag(preview_url, class: 'img-thumbnail'), switch_url, title: t('.use_this_theme')) %>
+        <h3><%= theme.name %></h3>
+        <%= image_tag(preview_url, class: 'img-thumbnail') %>
         <%= raw theme.description_html %>
-        <p><%= link_to(t('.use_this_theme'), switch_url, class: 'btn btn-info') %></p>
+        <p><%= button_to(t('.use_this_theme'), switch_url, class: 'btn btn-info') %></p>
       </div>
     <% end %>
   </div>

data/app/views/articles/_article_excerpt.html.erb

@@ -5,7 +5,7 @@
       <p><%= link_to_permalink article, t('.continue_reading') %></p>
     </div>
   <% else %>
-    <%= raw article.html(:body) %>
+    <%= article.html(:body) %>
     <% if article.extended? %>
       <div class="extended">
         <p><%= link_to_permalink article, t('.continue_reading') %></p>

data/app/views/articles/_full_article_content.html.erb

@@ -1,4 +1,4 @@
 <% cache article do %>
-  <%= raw article.html(:body) %>
-  <%= raw article.html(:extended) %>
+  <%= article.html(:body) %>
+  <%= article.html(:extended) %>
 <% end %>

data/app/views/articles/view_page.html.erb

@@ -1,3 +1,3 @@
 <div id="viewpage">
-  <%= raw html @page %>
+  <%= html @page %>
 </div>

data/app/views/comments/_comment.html.erb

@@ -6,7 +6,7 @@
     <%= t('.said') %> <%= display_date_and_time comment.created_at %>:
     </p>
     <div class="content">
-      <%= raw nofollowify_links comment.generate_html(:body) %>
+      <%= nofollowify_links comment.generate_html(:body) %>
       <% unless comment.published? %>
         <div class="spamwarning">
           <%= t('.this_comment_has_been_flagged_for_moderator_approval') %>

data/app/views/notes/_note.html.erb

@@ -1,7 +1,7 @@
 <% cache [note, note.user] do %>
   <article class='status'>
     <%= author_picture note %>
-    <div class='p-name entry-title e-content entry-content article'><%= raw note.html(:body) %></div>
+    <div class='p-name entry-title e-content entry-content article'><%= note.html(:body) %></div>
     <footer>
       <small>
         <%= link_to_permalink(note, display_date_and_time(note.published_at)) %> |

data/app/views/notes/index.html.erb

@@ -2,7 +2,7 @@
   <% for note in @notes %>
   <div class='h-entry hentry h-as-note'>
     <article>
-      <p class='p-name entry-title e-content entry-content article'><%= raw note.html(:body) %></p>
+      <p class='p-name entry-title e-content entry-content article'><%= note.html(:body) %></p>
       <footer>
         <small><%= link_to_permalink(note, display_date_and_time(note.published_at)) %></small>
       </footer>

data/config/routes.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 Rails.application.routes.draw do
-  devise_for :users
+  devise_for :users, controllers: { registrations: "users/registrations" }
+
   # TODO: use only in archive sidebar. See how made other system
   get ":year/:month", to: "articles#index", year: /\d{4}/, month: /\d{1,2}/,
                       as: "articles_by_month", format: false
@@ -144,7 +145,7 @@ Rails.application.routes.draw do
     resources :themes, only: [:index], format: false do
       collection do
         get "preview"
-        get "switchto"
+        post "switchto"
       end
     end
 

data/lib/publify_core/testing_support/fixtures/just_some.html

@@ -0,0 +1,5 @@
+<html>
+  <body>
+    <p>Hello!</p>
+  </body>
+</html>

data/lib/publify_core/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PublifyCore
-  VERSION = "9.2.1"
+  VERSION = "9.2.5"
 end

data/lib/spam_protection.rb

@@ -82,16 +82,14 @@ class SpamProtection
   def query_rbls(rbls, *subdomains)
     rbls.each do |rbl|
       subdomains.uniq.each do |d|
-        begin
-          response = IPSocket.getaddress([d, rbl].join("."))
-          if response.start_with?("127.0.0.")
-            throw :hit,
-                  "#{rbl} positively resolved subdomain #{d} => #{response}"
-          end
-        rescue SocketError
-          # NXDOMAIN response => negative:  d is not in RBL
-          next
+        response = IPSocket.getaddress([d, rbl].join("."))
+        if response.start_with?("127.0.0.")
+          throw :hit,
+                "#{rbl} positively resolved subdomain #{d} => #{response}"
         end
+      rescue SocketError
+        # NXDOMAIN response => negative:  d is not in RBL
+        next
       end
     end
     false

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: publify_core
 version: !ruby/object:Gem::Version
-  version: 9.2.1
+  version: 9.2.5
 platform: ruby
 authors:
 - Matijs van Zuijlen
 - Yannick François
 - Thomas Lecavellier
 - Frédéric de Villamil
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-20 00:00:00.000000000 Z
+date: 2021-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aasm
@@ -202,39 +202,39 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.2.1
 - !ruby/object:Gem::Dependency
-  name: mimemagic
+  name: mini_magick
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.2
+        version: '4.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.9.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.2
+        version: '4.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.9.4
 - !ruby/object:Gem::Dependency
-  name: mini_magick
+  name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '4.9'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.9.4
+        version: 1.12.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '4.9'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.9.4
+        version: 1.12.5
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -255,20 +255,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.2.4
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.2.4
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 5.2.4.3
+        version: 5.2.6
 - !ruby/object:Gem::Dependency
   name: rails_autolink
   requirement: !ruby/object:Gem::Requirement
@@ -700,6 +694,7 @@ files:
 - app/controllers/text_controller.rb
 - app/controllers/textfilter_controller.rb
 - app/controllers/theme_controller.rb
+- app/controllers/users/registrations_controller.rb
 - app/controllers/xml_controller.rb
 - app/helpers/admin/base_helper.rb
 - app/helpers/admin/feedback_helper.rb
@@ -974,6 +969,7 @@ files:
 - lib/publify_core/testing_support/feed_assertions.rb
 - lib/publify_core/testing_support/fixtures/exploit.svg
 - lib/publify_core/testing_support/fixtures/fakepng.png
+- lib/publify_core/testing_support/fixtures/just_some.html
 - lib/publify_core/testing_support/fixtures/otherfile.txt
 - lib/publify_core/testing_support/fixtures/testfile.png
 - lib/publify_core/testing_support/fixtures/testfile.txt
@@ -1004,7 +1000,7 @@ homepage: https://publify.github.io/
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -1012,15 +1008,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
-signing_key:
+rubygems_version: 3.1.6
+signing_key: 
 specification_version: 4
 summary: Core engine for the Publify blogging system.
 test_files: []