publify_core 9.2.8 → 9.2.9

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of publify_core might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/app/controllers/admin/content_controller.rb +3 -2
  4. data/app/uploaders/resource_uploader.rb +14 -16
  5. data/lib/publify_core/version.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ceb79c67a3eab641f5515e427d022de68e365fa219c18dd686127063669f1d09
4
- data.tar.gz: 1d2916a5932b8f0797ddf5af93359d593829d91c5509f7e64490d9250f3de71e
3
+ metadata.gz: 72e8560336bbbbfd2c517840b744e34509782d0f4d6db7cde5ee607230770b65
4
+ data.tar.gz: 886335b6900c26cfc579bf4197304b0e30cb8eedbe4c362a5394d153cb746487
5
5
  SHA512:
6
- metadata.gz: 9460c12c7a912eed0462b0e8769af2d23419bc0f7132ea7a071eb72c2e544d437b1f5ab2cdd89ec5ab28445e63cc42bb0628a39892d31baf3d82f8437d3fefb2
7
- data.tar.gz: 32cfcbade0b7fe6573daaf6fbe37c6f416e8e8a33b0a43b072c7678ec4b484c7a62fcf1eab76bf779b7f7141cf986a1094ed8c1be9ca10adad3c2a77deaac154
6
+ metadata.gz: 695ae9d70e7cb24e7b10b4c2efaaff9d13e32bdcde17e5fcc4be6aab288f5d8d1a0b74465b54f79dd28cf1fbc55a3c7f0e80d02074e8706e863bbba15ddd0368
7
+ data.tar.gz: 3044549f33cfe4db50562be0d0441e3fc952b433181eefc861768cbeb3072b11be25780c40b2977572ce69d38df945af520c09343d294920eccdf17198b9d143
data/CHANGELOG.md CHANGED
@@ -1,5 +1,10 @@
1
1
  # Changelog
2
2
 
3
+ ## 9.2.9 / 2022-05-22
4
+
5
+ * Fix admin article access control [#1065](https://github.com/publify/publify/pull/1065)
6
+ * Refuse html files as resources even if declared to be plain text [#1066](https://github.com/publify/publify/pull/1066)
7
+
3
8
  ## 9.2.8 / 2022-05-14
4
9
 
5
10
  * Fix password protected article reveal [#1049](https://github.com/publify/publify/pull/1049)
data/app/controllers/admin/content_controller.rb CHANGED
@@ -58,9 +58,9 @@ class Admin::ContentController < Admin::BaseController
58
58
  end
59
59
 
60
60
  def update
61
- return unless access_granted?(params[:id])
61
+ id = params[:id]
62
+ return unless access_granted?(id)
62
63
 
63
- id = params[:article][:id] || params[:id]
64
64
  @article = Article.find(id)
65
65
 
66
66
  if params[:article][:draft]
@@ -101,6 +101,7 @@ class Admin::ContentController < Admin::BaseController
101
101
  return false unless request.xhr?
102
102
 
103
103
  id = params[:article][:id] || params[:id]
104
+ return if id && !access_granted?(id)
104
105
 
105
106
  article_factory = Article::Factory.new(this_blog, current_user)
106
107
  @article = article_factory.get_or_build_from(id)
data/app/uploaders/resource_uploader.rb CHANGED
@@ -4,7 +4,7 @@ require "marcel"
4
4
 
5
5
  class ResourceUploader < CarrierWave::Uploader::Base
6
6
  include CarrierWave::MiniMagick
7
- before :cache, :check_image_content_type!
7
+ before :cache, :check_content_type!
8
8
 
9
9
  def content_type_allowlist
10
10
  [%r{image/}, %r{audio/}, %r{video/}, "text/plain"]
@@ -37,26 +37,24 @@ class ResourceUploader < CarrierWave::Uploader::Base
37
37
  content_type&.include?("image")
38
38
  end
39
39
 
40
- def check_image_content_type!(new_file)
41
- if image?(new_file)
42
- magic_type = mime_magic_content_type(new_file)
43
- if magic_type != new_file.content_type
44
- raise CarrierWave::IntegrityError, "has MIME type mismatch"
45
- end
40
+ def check_content_type!(new_file)
41
+ detected_type = if image? new_file
42
+ file_content_content_type(new_file)
43
+ else
44
+ file_content_type(new_file)
45
+ end
46
+ if detected_type != new_file.content_type
47
+ raise CarrierWave::IntegrityError, "has MIME type mismatch"
46
48
  end
47
49
  end
48
50
 
49
51
  private
50
52
 
51
- # NOTE: This method was adapted from MagicMimeBlacklist#extract_content_type
52
- # from CarrierWave 1.0.0 and SanitizedFile#mime_magic_content_type from CarrierWave 0.11.2
53
- def mime_magic_content_type(new_file)
54
- content_type = nil
55
-
56
- File.open(new_file.path) do |fd|
57
- content_type = Marcel::MimeType.for(fd)
58
- end
53
+ def file_content_content_type(new_file)
54
+ Marcel::MimeType.for Pathname.new(new_file.path)
55
+ end
59
56
 
60
- content_type
57
+ def file_content_type(new_file)
58
+ Marcel::MimeType.for Pathname.new(new_file.path), name: new_file.filename
61
59
  end
62
60
  end
data/lib/publify_core/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module PublifyCore
4
- VERSION = "9.2.8"
4
+ VERSION = "9.2.9"
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: publify_core
3
3
  version: !ruby/object:Gem::Version
4
- version: 9.2.8
4
+ version: 9.2.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - Matijs van Zuijlen
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2022-05-14 00:00:00.000000000 Z
14
+ date: 2022-05-22 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: aasm