publify_core 9.2.8 → 9.2.9
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of publify_core might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/app/controllers/admin/content_controller.rb +3 -2
- data/app/uploaders/resource_uploader.rb +14 -16
- data/lib/publify_core/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 72e8560336bbbbfd2c517840b744e34509782d0f4d6db7cde5ee607230770b65
|
4
|
+
data.tar.gz: 886335b6900c26cfc579bf4197304b0e30cb8eedbe4c362a5394d153cb746487
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 695ae9d70e7cb24e7b10b4c2efaaff9d13e32bdcde17e5fcc4be6aab288f5d8d1a0b74465b54f79dd28cf1fbc55a3c7f0e80d02074e8706e863bbba15ddd0368
|
7
|
+
data.tar.gz: 3044549f33cfe4db50562be0d0441e3fc952b433181eefc861768cbeb3072b11be25780c40b2977572ce69d38df945af520c09343d294920eccdf17198b9d143
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,10 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 9.2.9 / 2022-05-22
|
4
|
+
|
5
|
+
* Fix admin article access control [#1065](https://github.com/publify/publify/pull/1065)
|
6
|
+
* Refuse html files as resources even if declared to be plain text [#1066](https://github.com/publify/publify/pull/1066)
|
7
|
+
|
3
8
|
## 9.2.8 / 2022-05-14
|
4
9
|
|
5
10
|
* Fix password protected article reveal [#1049](https://github.com/publify/publify/pull/1049)
|
@@ -58,9 +58,9 @@ class Admin::ContentController < Admin::BaseController
|
|
58
58
|
end
|
59
59
|
|
60
60
|
def update
|
61
|
-
|
61
|
+
id = params[:id]
|
62
|
+
return unless access_granted?(id)
|
62
63
|
|
63
|
-
id = params[:article][:id] || params[:id]
|
64
64
|
@article = Article.find(id)
|
65
65
|
|
66
66
|
if params[:article][:draft]
|
@@ -101,6 +101,7 @@ class Admin::ContentController < Admin::BaseController
|
|
101
101
|
return false unless request.xhr?
|
102
102
|
|
103
103
|
id = params[:article][:id] || params[:id]
|
104
|
+
return if id && !access_granted?(id)
|
104
105
|
|
105
106
|
article_factory = Article::Factory.new(this_blog, current_user)
|
106
107
|
@article = article_factory.get_or_build_from(id)
|
@@ -4,7 +4,7 @@ require "marcel"
|
|
4
4
|
|
5
5
|
class ResourceUploader < CarrierWave::Uploader::Base
|
6
6
|
include CarrierWave::MiniMagick
|
7
|
-
before :cache, :
|
7
|
+
before :cache, :check_content_type!
|
8
8
|
|
9
9
|
def content_type_allowlist
|
10
10
|
[%r{image/}, %r{audio/}, %r{video/}, "text/plain"]
|
@@ -37,26 +37,24 @@ class ResourceUploader < CarrierWave::Uploader::Base
|
|
37
37
|
content_type&.include?("image")
|
38
38
|
end
|
39
39
|
|
40
|
-
def
|
41
|
-
if image?
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
40
|
+
def check_content_type!(new_file)
|
41
|
+
detected_type = if image? new_file
|
42
|
+
file_content_content_type(new_file)
|
43
|
+
else
|
44
|
+
file_content_type(new_file)
|
45
|
+
end
|
46
|
+
if detected_type != new_file.content_type
|
47
|
+
raise CarrierWave::IntegrityError, "has MIME type mismatch"
|
46
48
|
end
|
47
49
|
end
|
48
50
|
|
49
51
|
private
|
50
52
|
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
content_type = nil
|
55
|
-
|
56
|
-
File.open(new_file.path) do |fd|
|
57
|
-
content_type = Marcel::MimeType.for(fd)
|
58
|
-
end
|
53
|
+
def file_content_content_type(new_file)
|
54
|
+
Marcel::MimeType.for Pathname.new(new_file.path)
|
55
|
+
end
|
59
56
|
|
60
|
-
|
57
|
+
def file_content_type(new_file)
|
58
|
+
Marcel::MimeType.for Pathname.new(new_file.path), name: new_file.filename
|
61
59
|
end
|
62
60
|
end
|
data/lib/publify_core/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: publify_core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 9.2.
|
4
|
+
version: 9.2.9
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Matijs van Zuijlen
|
@@ -11,7 +11,7 @@ authors:
|
|
11
11
|
autorequire:
|
12
12
|
bindir: bin
|
13
13
|
cert_chain: []
|
14
|
-
date: 2022-05-
|
14
|
+
date: 2022-05-22 00:00:00.000000000 Z
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
17
17
|
name: aasm
|