publify_core 9.2.4 → 9.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a656e67eabdbc775b90db037ea087c2bc27b179f7d2078ce24eee88d24db874
-  data.tar.gz: b241a29fbb8b5a942acac80e5a774271f31298d0d5add64b77134988902daf3b
+  metadata.gz: 8598a2b44749716a7bf3f75ab494ff6ba4ef327f29d6606ed3fd21ccce7df918
+  data.tar.gz: b3f58570a4180cb07bfa2852d3bf0c10160feb9f14039875d6e5182fbb56a368
 SHA512:
-  metadata.gz: f201fcc55b9caa48cee99651b6820aeecbf8d5fc655ce475da6d4b42d9e1741222d2611428bf98f5952e8a0df21d47ecba1733dd864eea9851fda3f996d7ec85
-  data.tar.gz: 749dea0ae5d68830f3de9a49ae216465be1d9542656fb9980896e029e74089aa9335559214ce05eb8f8646e17bc609fe2f626e0b599ae081278649b16bc915b3
+  metadata.gz: 5ceafbc0b711d3c0d113e61e9339c9175b6cf18afb08fded9321148d2b3b7ddf1809a9de8de0428f5364820d15de19a58a4b0a811018e6cc210357ccb49e868f
+  data.tar.gz: 7e476032ad37744aee63a7f746c81f020684857fedd43ff6468648ce1133280fd3efc7b78bea560ffd69d34b250dc120e05c767a44361eb376d91de54ecd2c35

data/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## 9.2.5 / 2021-10-11
+
+This release fixes several security issues:
+
+* Block ability to switch themes using a GET request; use a POST instead
+* Disallow user self-registration rather than hiding it
+* Let the browser not cache admin pages
+* Limit the set of allowed mime types for uploaded media
+* Limit allowed HTML in articles, pages and notes
+
+Additionally, it includes the following changes:
+
+* Fix resource size display in admin resource list
+* Trigger download of media in the Media Library in admin instead of displaying
+  them directly
+
 ## 9.2.4 / 2021-10-02
 
 * Explicitly require at least version 1.12.5 of nokogiri to avoid a security issue

data/app/controllers/admin/base_controller.rb

@@ -10,6 +10,7 @@ class Admin::BaseController < BaseController
   layout "administration"
 
   before_action :login_required, except: [:login, :signup]
+  before_action :no_caching
 
   private
 
@@ -24,4 +25,9 @@ class Admin::BaseController < BaseController
                             name: controller_name.humanize)
     redirect_to action: "index"
   end
+
+  def no_caching
+    response.cache_control[:extras] =
+      ["no-cache", "max-age=0", "must-revalidate", "no-store"]
+  end
 end

data/app/controllers/users/registrations_controller.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class Users::RegistrationsController < Devise::RegistrationsController
+  include BlogHelper
+  before_action :require_signup_allowed
+
+  private
+
+  def require_signup_allowed
+    render plain: "Not found", status: :not_found unless this_blog.allow_signup?
+  end
+end

data/app/helpers/base_helper.rb

@@ -240,10 +240,15 @@ module BaseHelper
   end
 
   def nofollowify_links(string)
+    raise ArgumentError, "string", "must be html_safe" unless string.html_safe?
+
     if this_blog.dofollowify
       string
     else
-      string.gsub(/<a(.*?)>/i, '<a\1 rel="nofollow">')
+      followify_scrubber = Loofah::Scrubber.new do |node|
+        node.set_attribute "rel", "nofollow" if node.name == "a"
+      end
+      sanitize h(string), scrubber: followify_scrubber
     end
   end
 

data/app/models/content_base.rb

@@ -5,6 +5,12 @@ module ContentBase
     base.extend ClassMethods
   end
 
+  class ContentTextHelpers
+    include ActionView::Helpers::UrlHelper
+    include ActionView::Helpers::TextHelper
+    include ActionView::Helpers::SanitizeHelper
+  end
+
   attr_accessor :just_changed_published_status
   alias just_changed_published_status? just_changed_published_status
 
@@ -39,10 +45,10 @@ module ContentBase
     html_postprocess(field, html).to_s
   end
 
-  # Post-process the HTML.  This is a noop by default, but Comment overrides it
-  # to enforce HTML sanity.
+  # Post-process the HTML
   def html_postprocess(_field, html)
-    html
+    helper = ContentTextHelpers.new
+    helper.sanitize html
   end
 
   def html_preprocess(_field, html)

data/app/models/feedback.rb

@@ -11,12 +11,6 @@ class Feedback < ApplicationRecord
   include PublifyGuid
   include ContentBase
 
-  class ContentTextHelpers
-    include ActionView::Helpers::UrlHelper
-    include ActionView::Helpers::TextHelper
-    include ActionView::Helpers::SanitizeHelper
-  end
-
   validate :feedback_not_closed, on: :create
   validates :article, presence: true
 

data/app/uploaders/resource_uploader.rb

@@ -6,6 +6,10 @@ class ResourceUploader < CarrierWave::Uploader::Base
   include CarrierWave::MiniMagick
   before :cache, :check_image_content_type!
 
+  def content_type_allowlist
+    [%r{image/}, %r{audio/}, %r{video/}, "text/plain"]
+  end
+
   def store_dir
     "files/#{model.class.to_s.underscore}/#{model.id}"
   end

data/app/views/admin/resources/index.html.erb

@@ -33,38 +33,34 @@
     </tr>
   <% end %>
 
-  <% for upload in @resources %>
+  <% for resource in @resources %>
   <tr>
     <td>
-      <% if upload.mime =~ /image/ %>
-      <a href="<%= upload.upload.medium.url %>" data-toggle="lightbox">
-        <%= image_tag(upload.upload.thumb.url) %>
-      </a>
+      <% if resource.mime =~ /image/ %>
+        <a href="<%= resource.upload.medium.url %>" data-toggle="lightbox">
+          <%= image_tag(resource.upload.thumb.url) %>
+        </a>
       <% else %>
-      <%= link_to(upload.upload_url, upload.upload_url) %>
+        <%= link_to(resource.upload_url, resource.upload_url, download: resource.upload.identifier) %>
       <% end %>
       <p>
         <small>
-          <% if upload.mime =~ /image/ %>
-            <%= link_to(t('.thumbnail'), upload.upload.thumb.url) %> |
-            <%= link_to(t('.medium_size'), upload.upload.medium.url) %> |
-            <%= link_to(t('.original_size'), upload.upload.url) %> |
+          <% if resource.mime =~ /image/ %>
+            <%= link_to(t('.thumbnail'), resource.upload.thumb.url) %> |
+            <%= link_to(t('.medium_size'), resource.upload.medium.url) %> |
+            <%= link_to(t('.original_size'), resource.upload.url) %> |
           <% end %>
           <%= link_to(t('.delete'),
-                      { action: 'destroy', id: upload.id, search: params[:search], page: params[:page] },
+                      { action: 'destroy', id: resource.id, search: params[:search], page: params[:page] },
                       { confirm: t('.are_you_sure'), method: :delete }) %>
         </small>
       </p>
     </td>
     <td>
-      <%= upload.mime %>
+      <%= resource.mime %>
     </td>
-    <td><%= begin
-              h upload.size
-            rescue StandardError
-              0
-            end %> bytes</td>
-    <td><%= l(upload.created_at, format: :short) %></td>
+    <td><%= resource.upload.size %> bytes</td>
+    <td><%= l(resource.created_at, format: :short) %></td>
   </tr>
   <% end %>
   <%= display_pagination(@resources, 6) %>

data/app/views/admin/themes/index.html.erb

@@ -16,10 +16,10 @@
       </div>
     <% else %>
       <div>
-        <h3><%= link_to(theme.name, switch_url, title: t('.use_this_theme')) %></h3>
-        <%= link_to(image_tag(preview_url, class: 'img-thumbnail'), switch_url, title: t('.use_this_theme')) %>
+        <h3><%= theme.name %></h3>
+        <%= image_tag(preview_url, class: 'img-thumbnail') %>
         <%= raw theme.description_html %>
-        <p><%= link_to(t('.use_this_theme'), switch_url, class: 'btn btn-info') %></p>
+        <p><%= button_to(t('.use_this_theme'), switch_url, class: 'btn btn-info') %></p>
       </div>
     <% end %>
   </div>

data/app/views/articles/_article_excerpt.html.erb

@@ -5,7 +5,7 @@
       <p><%= link_to_permalink article, t('.continue_reading') %></p>
     </div>
   <% else %>
-    <%= raw article.html(:body) %>
+    <%= article.html(:body) %>
     <% if article.extended? %>
       <div class="extended">
         <p><%= link_to_permalink article, t('.continue_reading') %></p>

data/app/views/articles/_full_article_content.html.erb

@@ -1,4 +1,4 @@
 <% cache article do %>
-  <%= raw article.html(:body) %>
-  <%= raw article.html(:extended) %>
+  <%= article.html(:body) %>
+  <%= article.html(:extended) %>
 <% end %>

data/app/views/articles/view_page.html.erb

@@ -1,3 +1,3 @@
 <div id="viewpage">
-  <%= raw html @page %>
+  <%= html @page %>
 </div>

data/app/views/comments/_comment.html.erb

@@ -6,7 +6,7 @@
     <%= t('.said') %> <%= display_date_and_time comment.created_at %>:
     </p>
     <div class="content">
-      <%= raw nofollowify_links comment.generate_html(:body) %>
+      <%= nofollowify_links comment.generate_html(:body) %>
       <% unless comment.published? %>
         <div class="spamwarning">
           <%= t('.this_comment_has_been_flagged_for_moderator_approval') %>

data/app/views/notes/_note.html.erb

@@ -1,7 +1,7 @@
 <% cache [note, note.user] do %>
   <article class='status'>
     <%= author_picture note %>
-    <div class='p-name entry-title e-content entry-content article'><%= raw note.html(:body) %></div>
+    <div class='p-name entry-title e-content entry-content article'><%= note.html(:body) %></div>
     <footer>
       <small>
         <%= link_to_permalink(note, display_date_and_time(note.published_at)) %> |

data/app/views/notes/index.html.erb

@@ -2,7 +2,7 @@
   <% for note in @notes %>
   <div class='h-entry hentry h-as-note'>
     <article>
-      <p class='p-name entry-title e-content entry-content article'><%= raw note.html(:body) %></p>
+      <p class='p-name entry-title e-content entry-content article'><%= note.html(:body) %></p>
       <footer>
         <small><%= link_to_permalink(note, display_date_and_time(note.published_at)) %></small>
       </footer>

data/config/routes.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 Rails.application.routes.draw do
-  devise_for :users
+  devise_for :users, controllers: { registrations: "users/registrations" }
+
   # TODO: use only in archive sidebar. See how made other system
   get ":year/:month", to: "articles#index", year: /\d{4}/, month: /\d{1,2}/,
                       as: "articles_by_month", format: false
@@ -144,7 +145,7 @@ Rails.application.routes.draw do
     resources :themes, only: [:index], format: false do
       collection do
         get "preview"
-        get "switchto"
+        post "switchto"
       end
     end
 

data/lib/publify_core/testing_support/fixtures/just_some.html

@@ -0,0 +1,5 @@
+<html>
+  <body>
+    <p>Hello!</p>
+  </body>
+</html>

data/lib/publify_core/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PublifyCore
-  VERSION = "9.2.4"
+  VERSION = "9.2.5"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: publify_core
 version: !ruby/object:Gem::Version
-  version: 9.2.4
+  version: 9.2.5
 platform: ruby
 authors:
 - Matijs van Zuijlen
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-02 00:00:00.000000000 Z
+date: 2021-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aasm
@@ -694,6 +694,7 @@ files:
 - app/controllers/text_controller.rb
 - app/controllers/textfilter_controller.rb
 - app/controllers/theme_controller.rb
+- app/controllers/users/registrations_controller.rb
 - app/controllers/xml_controller.rb
 - app/helpers/admin/base_helper.rb
 - app/helpers/admin/feedback_helper.rb
@@ -968,6 +969,7 @@ files:
 - lib/publify_core/testing_support/feed_assertions.rb
 - lib/publify_core/testing_support/fixtures/exploit.svg
 - lib/publify_core/testing_support/fixtures/fakepng.png
+- lib/publify_core/testing_support/fixtures/just_some.html
 - lib/publify_core/testing_support/fixtures/otherfile.txt
 - lib/publify_core/testing_support/fixtures/testfile.png
 - lib/publify_core/testing_support/fixtures/testfile.txt