publify_core 9.2.8 → 9.2.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ceb79c67a3eab641f5515e427d022de68e365fa219c18dd686127063669f1d09
-  data.tar.gz: 1d2916a5932b8f0797ddf5af93359d593829d91c5509f7e64490d9250f3de71e
+  metadata.gz: 5527fac8b20913bab53dd2561d1733883484d9b2334da9acfb46265468caa501
+  data.tar.gz: 683bd0f0cdc369a1da0b6c6fa86c11be5aa51b657336ae6e96dbd6dc9f386193
 SHA512:
-  metadata.gz: 9460c12c7a912eed0462b0e8769af2d23419bc0f7132ea7a071eb72c2e544d437b1f5ab2cdd89ec5ab28445e63cc42bb0628a39892d31baf3d82f8437d3fefb2
-  data.tar.gz: 32cfcbade0b7fe6573daaf6fbe37c6f416e8e8a33b0a43b072c7678ec4b484c7a62fcf1eab76bf779b7f7141cf986a1094ed8c1be9ca10adad3c2a77deaac154
+  metadata.gz: f494f56b72b267db6ed6d6962014290ddd1a0d888c83c9ec101a7c41572a27234e663c64ba021190252a04cb19e38eb1a109c2ccf4e41a0c1006b04b92bebcf7
+  data.tar.gz: 6b2e942362cefab924e25bb069d8a7a26e55605cb83b343f1934a62e9e6cf149cd2ee30b8d7dcbc3db181d14f59cddcd2c8de2c86b9e6b9822583d0861f07ccb

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 9.2.10 / 2023-01-08
+
+* Bump Rails version to 5.2.8.1 [#1070](https://github.com/publify/publify/pull/1070)
+* Limit length of settings values [#1072](https://github.com/publify/publify/pull/1072)
+* Require login to stay unique when updating a User [#1073](https://github.com/publify/publify/pull/1073)
+* Validate lengths of string attributes [#1077](https://github.com/publify/publify/pull/1077)
+* Strip EXIF data from resource uploads [#1078](https://github.com/publify/publify/pull/1078)
+* Require user passwords to be strong [#1086](https://github.com/publify/publify/pull/1086)
+
+## 9.2.9 / 2022-05-22
+
+* Fix admin article access control [#1065](https://github.com/publify/publify/pull/1065)
+* Refuse html files as resources even if declared to be plain text [#1066](https://github.com/publify/publify/pull/1066)
+
 ## 9.2.8 / 2022-05-14
 
 * Fix password protected article reveal [#1049](https://github.com/publify/publify/pull/1049)

data/app/controllers/admin/content_controller.rb

@@ -58,9 +58,9 @@ class Admin::ContentController < Admin::BaseController
   end
 
   def update
-    return unless access_granted?(params[:id])
+    id = params[:id]
+    return unless access_granted?(id)
 
-    id = params[:article][:id] || params[:id]
     @article = Article.find(id)
 
     if params[:article][:draft]
@@ -101,6 +101,7 @@ class Admin::ContentController < Admin::BaseController
     return false unless request.xhr?
 
     id = params[:article][:id] || params[:id]
+    return if id && !access_granted?(id)
 
     article_factory = Article::Factory.new(this_blog, current_user)
     @article = article_factory.get_or_build_from(id)

data/app/models/blog.rb

@@ -9,6 +9,8 @@
 #
 class Blog < ApplicationRecord
   include ConfigManager
+  include StringLengthLimit
+
   include Rails.application.routes.url_helpers
 
   has_many :contents
@@ -71,11 +73,11 @@ class Blog < ApplicationRecord
   setting :image_medium_size, :integer, 600
 
   # SEO
-  setting :meta_description, :string, ""
+  setting :meta_description, :text, ""
   setting :meta_keywords, :string, ""
   setting :google_analytics, :string, ""
   setting :rss_description, :boolean, false
-  setting :rss_description_text, :string, <<-HTML.strip_heredoc
+  setting :rss_description_text, :text, <<-HTML.strip_heredoc
     <hr />
     <p><small>Original article written by %author% and published on <a href='%blog_url%'>%blog_name%</a>
     | <a href='%permalink_url%'>direct link to this article</a>
@@ -83,8 +85,8 @@ class Blog < ApplicationRecord
       it has been illegally reproduced and without proper authorization.</small></p>
   HTML
   setting :permalink_format, :string, "/%year%/%month%/%day%/%title%"
-  setting :robots, :string, 'User-agent: *\nAllow: /\nDisallow: /admin\n'
-  setting :humans, :string, <<-TEXT.strip_heredoc
+  setting :robots, :text, 'User-agent: *\nAllow: /\nDisallow: /admin\n'
+  setting :humans, :text, <<-TEXT.strip_heredoc
     /* TEAM */
     Your title: Your name.
     Site: email, link to a contact form, etc.
@@ -139,6 +141,7 @@ class Blog < ApplicationRecord
 
   validate :permalink_has_identifier
   # validates :base_url, presence: true
+  validates_default_string_length :base_url
 
   # Find the Blog that matches a specific base URL. If no Blog object is found
   # that matches, then grab the first blog. If *that* fails, then create a new

data/app/models/comment.rb

@@ -41,18 +41,15 @@ class Comment < Feedback
   private
 
   def article_allows_feedback?
-    return true if article.allow_comments?
-
-    errors.add(:article, "Article is not open to comments")
-    false
+    article.allow_comments?
   end
 
   def blog_allows_feedback?
     true
   end
 
-  def check_article_closed_for_feedback
-    errors.add(:article, "Comment are closed") if article.comments_closed?
+  def article_closed_for_feedback?
+    article.comments_closed?
   end
 
   def originator

data/app/models/concerns/string_length_limit.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module StringLengthLimit
+  # Default string length limit for model attributes. When running on MySQL,
+  # this is equal to the default string length in the database as set by Rails.
+  STRING_LIMIT = 255
+
+  extend ActiveSupport::Concern
+
+  class_methods do
+    def validates_default_string_length(*names)
+      names.each do |name|
+        validates name, length: { maximum: STRING_LIMIT }
+      end
+    end
+  end
+end

data/app/models/config_manager.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
 module ConfigManager
-  def self.append_features(base)
-    super
+  def self.included(base)
     base.extend(ClassMethods)
   end
 
@@ -12,12 +11,17 @@ module ConfigManager
     end
 
     def setting(name, type = :object, default = nil)
+      raise "Invalid type: #{type}" unless Item::VALID_TYPES.include? type
+
       item = Item.new
       item.name = name.to_s
       item.ruby_type = type
       item.default = default
       fields[name.to_s] = item
-      add_setting_accessor(item)
+
+      add_setting_reader(item)
+      add_setting_writer(item)
+      add_setting_validation(item)
     end
 
     def default_for(key)
@@ -26,11 +30,6 @@ module ConfigManager
 
     private
 
-    def add_setting_accessor(item)
-      add_setting_reader(item)
-      add_setting_writer(item)
-    end
-
     def add_setting_reader(item)
       send(:define_method, item.name) do
         raw_value = settings[item.name]
@@ -51,6 +50,15 @@ module ConfigManager
         retval
       end
     end
+
+    def add_setting_validation(item)
+      case item.ruby_type
+      when :string
+        validates item.name, length: { maximum: 256 }
+      when :text
+        validates item.name, length: { maximum: 2048 }
+      end
+    end
   end
 
   def canonicalize(key, value)
@@ -58,6 +66,8 @@ module ConfigManager
   end
 
   class Item
+    VALID_TYPES = [:boolean, :integer, :string, :text].freeze
+
     attr_accessor :name, :ruby_type, :default
 
     def canonicalize(value)
@@ -71,12 +81,8 @@ module ConfigManager
         end
       when :integer
         value.to_i
-      when :string
+      when :string, :text
         value.to_s
-      when :yaml
-        value.to_yaml
-      else
-        value
       end
     end
   end

data/app/models/content.rb

@@ -5,6 +5,7 @@ require "uri"
 
 class Content < ApplicationRecord
   include ContentBase
+  include StringLengthLimit
 
   belongs_to :user, optional: true, touch: true
   belongs_to :blog
@@ -38,6 +39,9 @@ class Content < ApplicationRecord
 
   serialize :whiteboard
 
+  validates_default_string_length :title, :author, :permalink, :name,
+                                  :post_type, :text_filter_name
+
   def author=(user)
     if user.respond_to?(:login)
       self[:author] = user.login

data/app/models/feedback.rb

@@ -10,11 +10,16 @@ class Feedback < ApplicationRecord
 
   include PublifyGuid
   include ContentBase
+  include StringLengthLimit
 
-  validate :article_allows_this_feedback, on: :create
-  validate :feedback_not_closed, on: :create
+  validate :feedback_allowed, on: :create
   validates :article, presence: true
 
+  validates_default_string_length :title, :author, :email, :url, :blog_name,
+                                  :user_agent, :text_filter_name
+
+  validates :ip, length: { maximum: 40 }
+
   before_save :correct_url, :classify_content
   before_create :create_guid
 
@@ -99,8 +104,20 @@ class Feedback < ApplicationRecord
     self.url = "http://#{url}" unless %r{^https?://}.match?(url)
   end
 
-  def article_allows_this_feedback
-    article && blog_allows_feedback? && article_allows_feedback?
+  def feedback_allowed
+    return unless article
+
+    unless blog_allows_feedback?
+      errors.add(:base, "#{plural_model_name} are disabled")
+      return
+    end
+
+    unless article_allows_feedback?
+      errors.add(:article, "Article is not open for #{plural_model_name.downcase}")
+      return
+    end
+
+    errors.add(:article, "#{plural_model_name} are closed") if article_closed_for_feedback?
   end
 
   def akismet_options
@@ -200,10 +217,6 @@ class Feedback < ApplicationRecord
     end
   end
 
-  def feedback_not_closed
-    check_article_closed_for_feedback
-  end
-
   def send_notifications
     nil
   end
@@ -242,4 +255,8 @@ class Feedback < ApplicationRecord
   def blog_id
     article.blog_id if article.present?
   end
+
+  def plural_model_name
+    self.class.model_name.human.pluralize
+  end
 end

data/app/models/ping.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
 class Ping < ApplicationRecord
+  include StringLengthLimit
+
   belongs_to :article
+  validates_default_string_length :url
 end

data/app/models/post_type.rb

@@ -1,9 +1,13 @@
 # frozen_string_literal: true
 
 class PostType < ApplicationRecord
+  include StringLengthLimit
+
   validates :name, uniqueness: true
   validates :name, presence: true
   validate :name_is_not_read
+  validates_default_string_length :name, :permalink, :description
+
   before_save :sanitize_title
 
   def name_is_not_read

data/app/models/redirect.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Redirect < ApplicationRecord
+  include StringLengthLimit
+
   belongs_to :content, optional: true, touch: true
   belongs_to :blog
 
@@ -8,6 +10,8 @@ class Redirect < ApplicationRecord
   validates :to_path, presence: true
   validates :blog, presence: true
 
+  validates_default_string_length :from_path, :to_path
+
   def full_to_path
     path = to_path
     # FIXME: Unify HTTP URI matchers

data/app/models/resource.rb

@@ -4,9 +4,12 @@ require "carrierwave"
 require "carrierwave/orm/activerecord"
 
 class Resource < ApplicationRecord
+  include StringLengthLimit
   belongs_to :blog
   belongs_to :content, optional: true
 
   mount_uploader :upload, ResourceUploader
   validates :upload, presence: true
+
+  validates_default_string_length :mime
 end

data/app/models/tag.rb

@@ -1,12 +1,15 @@
 # frozen_string_literal: true
 
 class Tag < ApplicationRecord
+  include StringLengthLimit
+
   belongs_to :blog
   has_and_belongs_to_many :contents, order: "created_at DESC"
 
   validates :name, uniqueness: { scope: :blog_id }
   validates :blog, presence: true
   validates :name, presence: true
+  validates_default_string_length :display_name
 
   before_validation :ensure_naming_conventions
 

data/app/models/trackback.rb

@@ -14,24 +14,6 @@ class Trackback < Feedback
     end
   end
 
-  def article_allows_feedback?
-    return true if article.allow_pings?
-
-    errors.add(:article, "Article is not pingable")
-    false
-  end
-
-  def blog_allows_feedback?
-    return true unless blog.global_pings_disable
-
-    errors.add(:base, "Pings are disabled")
-    false
-  end
-
-  def check_article_closed_for_feedback
-    errors.add(:article, "Pings are closed") if article.pings_closed?
-  end
-
   def originator
     blog_name
   end
@@ -47,4 +29,18 @@ class Trackback < Feedback
   def feed_title
     "Trackback from #{blog_name}: #{title} on #{article.title}"
   end
+
+  private
+
+  def article_allows_feedback?
+    article.allow_pings?
+  end
+
+  def blog_allows_feedback?
+    !blog.global_pings_disable
+  end
+
+  def article_closed_for_feedback?
+    article.pings_closed?
+  end
 end

data/app/models/user.rb

@@ -12,15 +12,17 @@ class User < ApplicationRecord
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :trackable, :validatable, :zxcvbnable
   include ConfigManager
+  include StringLengthLimit
 
   before_validation :set_default_profile
 
-  validates :login, uniqueness: true, on: :create
-  validates :email, uniqueness: true, on: :create
+  validates :login, uniqueness: true
   validates :email, :login, presence: true
   validates :login, length: { in: 3..40 }
+  validates_default_string_length :email, :text_filter_name
+  validates :name, length: { maximum: 2048 }
 
   belongs_to :resource, optional: true
   has_many :notifications, foreign_key: "notify_user_id"

data/app/uploaders/resource_uploader.rb

@@ -4,7 +4,10 @@ require "marcel"
 
 class ResourceUploader < CarrierWave::Uploader::Base
   include CarrierWave::MiniMagick
-  before :cache, :check_image_content_type!
+  before :process, :check_content_type!
+
+  process :fix_exif_rotation, if: :image?
+  process :strip, if: :image?
 
   def content_type_allowlist
     [%r{image/}, %r{audio/}, %r{video/}, "text/plain"]
@@ -32,31 +35,45 @@ class ResourceUploader < CarrierWave::Uploader::Base
     resize_to_fit(resize_setting, resize_setting)
   end
 
+  def strip
+    manipulate! do |img|
+      img.strip
+      img = yield(img) if block_given?
+      img
+    end
+  end
+
+  def fix_exif_rotation
+    manipulate! do |img|
+      img.auto_orient
+      img = yield(img) if block_given?
+      img
+    end
+  end
+
   def image?(new_file)
     content_type = new_file.content_type
     content_type&.include?("image")
   end
 
-  def check_image_content_type!(new_file)
-    if image?(new_file)
-      magic_type = mime_magic_content_type(new_file)
-      if magic_type != new_file.content_type
-        raise CarrierWave::IntegrityError, "has MIME type mismatch"
-      end
+  def check_content_type!(new_file)
+    detected_type = if image? new_file
+                      file_content_content_type(new_file)
+                    else
+                      file_content_type(new_file)
+                    end
+    if detected_type != new_file.content_type
+      raise CarrierWave::IntegrityError, "has MIME type mismatch"
     end
   end
 
   private
 
-  # NOTE: This method was adapted from MagicMimeBlacklist#extract_content_type
-  # from CarrierWave 1.0.0 and SanitizedFile#mime_magic_content_type from CarrierWave 0.11.2
-  def mime_magic_content_type(new_file)
-    content_type = nil
-
-    File.open(new_file.path) do |fd|
-      content_type = Marcel::MimeType.for(fd)
-    end
+  def file_content_content_type(new_file)
+    Marcel::MimeType.for Pathname.new(new_file.path)
+  end
 
-    content_type
+  def file_content_type(new_file)
+    Marcel::MimeType.for Pathname.new(new_file.path), name: new_file.filename
   end
 end

data/config/locales/da.yml

@@ -736,7 +736,7 @@ da:
         godkender den.
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -750,7 +750,7 @@ da:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/de.yml

@@ -740,7 +740,7 @@ de:
         in diesem Blog erscheinen
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -754,7 +754,7 @@ de:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/en.yml

@@ -735,7 +735,7 @@ en:
         approves it
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -749,7 +749,7 @@ en:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/es-MX.yml

@@ -738,7 +738,7 @@ es-MX:
         este blog hasta qye el autor lo apruebe
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -752,7 +752,7 @@ es-MX:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/fr.yml

@@ -752,7 +752,7 @@ fr:
         pour modération. Il ne sera affiché qu'une fois approuvé par un modérateur
   date:
     abbr_month_names:
-    - 
+    -
     - jan
     - fév
     - mars
@@ -766,7 +766,7 @@ fr:
     - nov
     - déc
     month_names:
-    - 
+    -
     - Janvier
     - Février
     - Mars

data/config/locales/he.yml

@@ -731,7 +731,7 @@ he:
         היא לא תופיע בבלוג עד אשר הכותב יאשר אותה
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -745,7 +745,7 @@ he:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/it.yml

@@ -737,7 +737,7 @@ it:
         approves it
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -751,7 +751,7 @@ it:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/ja.yml

@@ -719,7 +719,7 @@ ja:
       this_comment_has_been_flagged_for_moderator_approval: このコメントはモデレーターの確認が必要です。モデレーターが確認後にコメントが表示されます。
   date:
     abbr_month_names:
-    - 
+    -
     - 1月
     - 2月
     - 3月
@@ -733,7 +733,7 @@ ja:
     - 11月
     - 12月
     month_names:
-    - 
+    -
     - 1月
     - 2月
     - 3月

data/config/locales/lt.yml

@@ -752,7 +752,7 @@ lt:
         patvirtinimo
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -766,7 +766,7 @@ lt:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/nb-NO.yml

@@ -732,7 +732,7 @@ nb-NO:
         før moderatoren godkjenner den.
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -746,7 +746,7 @@ nb-NO:
     - Nov
     - Des
     month_names:
-    - 
+    -
     - Januar
     - Februar
     - Mars

data/config/locales/nl.yml

@@ -739,7 +739,7 @@ nl:
         voor goedkeuring. Het zal niet getoond worden totdat de auteur het goedkeurt.
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mrt
@@ -753,7 +753,7 @@ nl:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - Januari
     - Februari
     - Maart

data/config/locales/pl.yml

@@ -764,7 +764,7 @@ pl:
         na akceptację.  Nie ukaże się do czasu zaakceptowania przez autora.
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -778,7 +778,7 @@ pl:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/pt-BR.yml

@@ -738,7 +738,7 @@ pt-BR:
         para aprovação do moderador. Não será exibido até o autor aprovar.
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Fev
     - Mar
@@ -752,7 +752,7 @@ pt-BR:
     - Nov
     - Dez
     month_names:
-    - 
+    -
     - Janeiro
     - Fevereiro
     - Março

data/config/locales/ro.yml

@@ -751,7 +751,7 @@ ro:
         marcat pentru moderare. El nu va apărea în blog înainte de a fi aprobat.
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -765,7 +765,7 @@ ro:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/ru.yml

@@ -765,7 +765,7 @@ ru:
         approves it
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -779,7 +779,7 @@ ru:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/zh-CN.yml

@@ -720,7 +720,7 @@ zh-CN:
       this_comment_has_been_flagged_for_moderator_approval: 這篇评论被標示為版主所允許的。他不會在博客顯示直到版主承認他。
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -734,7 +734,7 @@ zh-CN:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/config/locales/zh-TW.yml

@@ -721,7 +721,7 @@ zh-TW:
       this_comment_has_been_flagged_for_moderator_approval: 這篇評論被標示為版主所允許的。他不會在部落格顯示直到版主承認他。
   date:
     abbr_month_names:
-    - 
+    -
     - Jan
     - Feb
     - Mar
@@ -735,7 +735,7 @@ zh-TW:
     - Nov
     - Dec
     month_names:
-    - 
+    -
     - January
     - February
     - March

data/lib/publify_core/testing_support/factories.rb

@@ -21,7 +21,7 @@ FactoryBot.define do
     notify_via_email { false }
     notify_on_new_articles { false }
     notify_on_comments { false }
-    password { "top-secret" }
+    password { "top-Secret12!$#" }
     state { "active" }
     profile { User::CONTRIBUTOR }
 

data/lib/publify_core/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PublifyCore
-  VERSION = "9.2.8"
+  VERSION = "9.2.10"
 end

data/lib/publify_core.rb

@@ -2,6 +2,7 @@
 
 require "devise"
 require "devise-i18n"
+require "devise_zxcvbn"
 
 require "publify_core/version"
 require "publify_core/engine"

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: publify_core
 version: !ruby/object:Gem::Version
-  version: 9.2.8
+  version: 9.2.10
 platform: ruby
 authors:
 - Matijs van Zuijlen
 - Yannick François
 - Thomas Lecavellier
 - Frédéric de Villamil
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-14 00:00:00.000000000 Z
+date: 2023-01-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aasm
@@ -111,6 +111,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: devise_zxcvbn
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.0'
 - !ruby/object:Gem::Dependency
   name: dynamic_form
   requirement: !ruby/object:Gem::Requirement
@@ -235,6 +249,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.12.5
+- !ruby/object:Gem::Dependency
+  name: psych
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.2.0
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -409,28 +437,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: '6.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: '6.2'
 - !ruby/object:Gem::Dependency
   name: feedjira
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '3.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '3.2'
 - !ruby/object:Gem::Dependency
   name: i18n-tasks
   requirement: !ruby/object:Gem::Requirement
@@ -487,20 +515,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: shoulda-matchers
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.5'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.18.5
+        version: 0.19.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.18.5
+        version: 0.19.0
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -712,6 +754,7 @@ files:
 - app/models/article/factory.rb
 - app/models/blog.rb
 - app/models/comment.rb
+- app/models/concerns/string_length_limit.rb
 - app/models/config_manager.rb
 - app/models/content.rb
 - app/models/content_base.rb
@@ -972,6 +1015,7 @@ files:
 - lib/publify_core/testing_support/fixtures/fakepng.png
 - lib/publify_core/testing_support/fixtures/just_some.html
 - lib/publify_core/testing_support/fixtures/otherfile.txt
+- lib/publify_core/testing_support/fixtures/testfile.jpg
 - lib/publify_core/testing_support/fixtures/testfile.png
 - lib/publify_core/testing_support/fixtures/testfile.txt
 - lib/publify_core/testing_support/upload_fixtures.rb
@@ -1001,7 +1045,7 @@ homepage: https://publify.github.io/
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -1017,7 +1061,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.6
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Core engine for the Publify blogging system.
 test_files: []