publify_core 9.2.8 → 9.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of publify_core might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/app/controllers/admin/content_controller.rb +3 -2
  4. data/app/uploaders/resource_uploader.rb +14 -16
  5. data/lib/publify_core/version.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ceb79c67a3eab641f5515e427d022de68e365fa219c18dd686127063669f1d09
4
- data.tar.gz: 1d2916a5932b8f0797ddf5af93359d593829d91c5509f7e64490d9250f3de71e
3
+ metadata.gz: 72e8560336bbbbfd2c517840b744e34509782d0f4d6db7cde5ee607230770b65
4
+ data.tar.gz: 886335b6900c26cfc579bf4197304b0e30cb8eedbe4c362a5394d153cb746487
5
5
  SHA512:
6
- metadata.gz: 9460c12c7a912eed0462b0e8769af2d23419bc0f7132ea7a071eb72c2e544d437b1f5ab2cdd89ec5ab28445e63cc42bb0628a39892d31baf3d82f8437d3fefb2
7
- data.tar.gz: 32cfcbade0b7fe6573daaf6fbe37c6f416e8e8a33b0a43b072c7678ec4b484c7a62fcf1eab76bf779b7f7141cf986a1094ed8c1be9ca10adad3c2a77deaac154
6
+ metadata.gz: 695ae9d70e7cb24e7b10b4c2efaaff9d13e32bdcde17e5fcc4be6aab288f5d8d1a0b74465b54f79dd28cf1fbc55a3c7f0e80d02074e8706e863bbba15ddd0368
7
+ data.tar.gz: 3044549f33cfe4db50562be0d0441e3fc952b433181eefc861768cbeb3072b11be25780c40b2977572ce69d38df945af520c09343d294920eccdf17198b9d143
data/CHANGELOG.md CHANGED
@@ -1,5 +1,10 @@
1
1
  # Changelog
2
2
 
3
+ ## 9.2.9 / 2022-05-22
4
+
5
+ * Fix admin article access control [#1065](https://github.com/publify/publify/pull/1065)
6
+ * Refuse html files as resources even if declared to be plain text [#1066](https://github.com/publify/publify/pull/1066)
7
+
3
8
  ## 9.2.8 / 2022-05-14
4
9
 
5
10
  * Fix password protected article reveal [#1049](https://github.com/publify/publify/pull/1049)
data/app/controllers/admin/content_controller.rb CHANGED
@@ -58,9 +58,9 @@ class Admin::ContentController < Admin::BaseController
58
58
  end
59
59
 
60
60
  def update
61
- return unless access_granted?(params[:id])
61
+ id = params[:id]
62
+ return unless access_granted?(id)
62
63
 
63
- id = params[:article][:id] || params[:id]
64
64
  @article = Article.find(id)
65
65
 
66
66
  if params[:article][:draft]
@@ -101,6 +101,7 @@ class Admin::ContentController < Admin::BaseController
101
101
  return false unless request.xhr?
102
102
 
103
103
  id = params[:article][:id] || params[:id]
104
+ return if id && !access_granted?(id)
104
105
 
105
106
  article_factory = Article::Factory.new(this_blog, current_user)
106
107
  @article = article_factory.get_or_build_from(id)
data/app/uploaders/resource_uploader.rb CHANGED
@@ -4,7 +4,7 @@ require "marcel"
4
4
 
5
5
  class ResourceUploader < CarrierWave::Uploader::Base
6
6
  include CarrierWave::MiniMagick
7
- before :cache, :check_image_content_type!
7
+ before :cache, :check_content_type!
8
8
 
9
9
  def content_type_allowlist
10
10
  [%r{image/}, %r{audio/}, %r{video/}, "text/plain"]
@@ -37,26 +37,24 @@ class ResourceUploader < CarrierWave::Uploader::Base
37
37
  content_type&.include?("image")
38
38
  end
39
39
 
40
- def check_image_content_type!(new_file)
41
- if image?(new_file)
42
- magic_type = mime_magic_content_type(new_file)
43
- if magic_type != new_file.content_type
44
- raise CarrierWave::IntegrityError, "has MIME type mismatch"
45
- end
40
+ def check_content_type!(new_file)
41
+ detected_type = if image? new_file
42
+ file_content_content_type(new_file)
43
+ else
44
+ file_content_type(new_file)
45
+ end
46
+ if detected_type != new_file.content_type
47
+ raise CarrierWave::IntegrityError, "has MIME type mismatch"
46
48
  end
47
49
  end
48
50
 
49
51
  private
50
52
 
51
- # NOTE: This method was adapted from MagicMimeBlacklist#extract_content_type
52
- # from CarrierWave 1.0.0 and SanitizedFile#mime_magic_content_type from CarrierWave 0.11.2
53
- def mime_magic_content_type(new_file)
54
- content_type = nil
55
-
56
- File.open(new_file.path) do |fd|
57
- content_type = Marcel::MimeType.for(fd)
58
- end
53
+ def file_content_content_type(new_file)
54
+ Marcel::MimeType.for Pathname.new(new_file.path)
55
+ end
59
56
 
60
- content_type
57
+ def file_content_type(new_file)
58
+ Marcel::MimeType.for Pathname.new(new_file.path), name: new_file.filename
61
59
  end
62
60
  end
data/lib/publify_core/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module PublifyCore
4
- VERSION = "9.2.8"
4
+ VERSION = "9.2.9"
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: publify_core
3
3
  version: !ruby/object:Gem::Version
4
- version: 9.2.8
4
+ version: 9.2.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - Matijs van Zuijlen
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2022-05-14 00:00:00.000000000 Z
14
+ date: 2022-05-22 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: aasm