ghost 3.42.7 → 3.42.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/core/frontend/helpers/url.js +6 -1
  2. package/core/server/services/oembed.js +6 -0
  3. package/core/server/web/site/middleware/handle-image-sizes.js +8 -1
  4. package/package.json +1 -1
package/core/frontend/helpers/url.js CHANGED
@@ -11,7 +11,12 @@ module.exports = function url(options) {
11
11
  const absolute = options && options.hash.absolute && options.hash.absolute !== 'false';
12
12
  let outputUrl = getMetaDataUrl(this, absolute);
13
13
 
14
- outputUrl = encodeURI(decodeURI(outputUrl));
14
+ try {
15
+ outputUrl = encodeURI(decodeURI(outputUrl));
16
+ } catch (err) {
17
+ // Happens when the outputURL contains an invalid URI character like "%%" or "%80"
18
+ return new SafeString('');
19
+ }
15
20
 
16
21
  return new SafeString(outputUrl);
17
22
  };
package/core/server/services/oembed.js CHANGED
@@ -85,6 +85,8 @@ class OEmbed {
85
85
  }
86
86
 
87
87
  async fetchBookmarkData(url) {
88
+ // Metascraper doesn't handle leading/trailing whitespace
89
+ url = url.trim();
88
90
  const metascraper = require('metascraper')([
89
91
  require('metascraper-url')(),
90
92
  require('metascraper-title')(),
@@ -154,6 +156,10 @@ class OEmbed {
154
156
  }
155
157
 
156
158
  fetchOembedData(_url, cardType) {
159
+ // Trimming solves the difference of url validation between `new URL(url)`
160
+ // and metascraper.
161
+ _url = _url.trim();
162
+
157
163
  // parse the url then validate the protocol and host to make sure it's
158
164
  // http(s) and not an IP address or localhost to avoid potential access to
159
165
  // internal network endpoints
package/core/server/web/site/middleware/handle-image-sizes.js CHANGED
@@ -1,5 +1,6 @@
1
1
  const _ = require('lodash');
2
2
  const path = require('path');
3
+ const {GhostError} = require('@tryghost/errors');
3
4
  const imageTransform = require('@tryghost/image-transform');
4
5
  const storage = require('../../../adapters/storage');
5
6
  const activeTheme = require('../../../../frontend/services/themes/active');
@@ -100,6 +101,12 @@ module.exports = function (req, res, next) {
100
101
  return storageInstance.read({path: storagePath});
101
102
  })
102
103
  .then((originalImageBuffer) => {
104
+ if (originalImageBuffer.length <= 0) {
105
+ throw new GhostError({
106
+ errorType: 'NoContentError',
107
+ statusCode: 204
108
+ });
109
+ }
103
110
  return imageTransform.resizeFromBuffer(originalImageBuffer, imageDimensionConfig);
104
111
  })
105
112
  .then((resizedImageBuffer) => {
@@ -108,7 +115,7 @@ module.exports = function (req, res, next) {
108
115
  }).then(() => {
109
116
  next();
110
117
  }).catch(function (err) {
111
- if (err.code === 'SHARP_INSTALLATION') {
118
+ if (err.code === 'SHARP_INSTALLATION' || err.code === 'IMAGE_PROCESSING' || err.errorType === 'NoContentError') {
112
119
  return redirectToOriginal();
113
120
  }
114
121
  next(err);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "ghost",
3
- "version": "3.42.7",
3
+ "version": "3.42.8",
4
4
  "description": "The professional publishing platform",
5
5
  "author": "Ghost Foundation",
6
6
  "homepage": "https://ghost.org",