ghost 5.130.1 → 5.130.3

package/core/built/admin/index.html

@@ -28,7 +28,7 @@
     </style>
 
     <link integrity="" rel="stylesheet" href="assets/vendor-0ede59da8efb5e28fa929557f7ff7154.css">
-    <link integrity="" rel="stylesheet" href="assets/ghost-3d0ad0c58f433d5735532bf25d4fd423.css" title="light">
+    <link integrity="" rel="stylesheet" href="assets/ghost-e474a058646b6df157de25ea1cd978d5.css" title="light">
 
     
 </head>
@@ -48,8 +48,8 @@
     <div id="ember-basic-dropdown-wormhole"></div>
 
     <script src="assets/vendor-aed0068cf9b67d042dd23a6343545b7b.js"></script>
-<script src="assets/chunk.728.077782a432061228b91e.js"></script>
-<script src="assets/chunk.524.8a4cbb5b8ae5cf01697e.js"></script>
-    <script src="assets/ghost-280b83af263b51bc4d6ce5bd8f536096.js"></script>
+<script src="assets/chunk.728.985c45ad584b4b91ca60.js"></script>
+<script src="assets/chunk.524.d4dce2126c430c48812b.js"></script>
+    <script src="assets/ghost-bf886dc6db7f0d5d41ebe6a468fadc90.js"></script>
 </body>
 </html>

package/core/server/services/explore-ping/ExplorePingService.js

@@ -33,7 +33,9 @@ module.exports = class ExplorePingService {
             ghost: this.ghostVersion.full,
             site_uuid: this.settingsCache.get('site_uuid'),
             url: this.config.get('url'),
-            theme: this.settingsCache.get('active_theme')
+            theme: this.settingsCache.get('active_theme'),
+            facebook: this.settingsCache.get('facebook'),
+            twitter: this.settingsCache.get('twitter')
         };
 
         try {

package/core/server/services/members/members-api/controllers/RouterController.js

@@ -4,6 +4,7 @@ const sanitizeHtml = require('sanitize-html');
 const {BadRequestError, NoPermissionError, UnauthorizedError, DisabledFeatureError, NotFoundError} = require('@tryghost/errors');
 const errors = require('@tryghost/errors');
 const {isEmail} = require('@tryghost/validator');
+const normalizeEmail = require('../utils/normalize-email');
 
 const messages = {
     emailRequired: 'Email is required.',
@@ -585,6 +586,23 @@ module.exports = class RouterController {
             });
         }
 
+        // Normalize email to prevent homograph attacks
+        let normalizedEmail;
+
+        try {
+            normalizedEmail = normalizeEmail(email);
+
+            if (normalizedEmail !== email) {
+                logging.info(`Email normalized from ${email} to ${normalizedEmail} for magic link`);
+            }
+        } catch (err) {
+            logging.error(`Failed to normalize [${email}]: ${err.message}`);
+
+            throw new errors.BadRequestError({
+                message: tpl(messages.invalidEmail)
+            });
+        }
+
         if (honeypot) {
             logging.warn('Honeypot field filled, this is likely a bot');
 
@@ -606,9 +624,9 @@ module.exports = class RouterController {
 
         try {
             if (emailType === 'signup' || emailType === 'subscribe') {
-                await this._handleSignup(req, referrer);
+                await this._handleSignup(req, normalizedEmail, referrer);
             } else {
-                await this._handleSignin(req, referrer);
+                await this._handleSignin(req, normalizedEmail, referrer);
             }
 
             res.writeHead(201);
@@ -626,7 +644,7 @@ module.exports = class RouterController {
         }
     }
 
-    async _handleSignup(req, referrer = null) {
+    async _handleSignup(req, normalizedEmail, referrer = null) {
         if (!this._allowSelfSignup()) {
             if (this._settingsCache.get('members_signup_access') === 'paid') {
                 throw new errors.BadRequestError({
@@ -640,14 +658,14 @@ module.exports = class RouterController {
         }
 
         const blockedEmailDomains = this._settingsCache.get('all_blocked_email_domains');
-        const emailDomain = req.body.email.split('@')[1]?.toLowerCase();
+        const emailDomain = normalizedEmail.split('@')[1]?.toLowerCase();
         if (emailDomain && blockedEmailDomains.includes(emailDomain)) {
             throw new errors.BadRequestError({
                 message: tpl(messages.blockedEmailDomain)
             });
         }
 
-        const {email, emailType} = req.body;
+        const {emailType} = req.body;
 
         const tokenData = {
             labels: req.body.labels,
@@ -657,13 +675,13 @@ module.exports = class RouterController {
             attribution: await this._memberAttributionService.getAttribution(req.body.urlHistory)
         };
 
-        return await this._sendEmailWithMagicLink({email, tokenData, requestedType: emailType, referrer});
+        return await this._sendEmailWithMagicLink({email: normalizedEmail, tokenData, requestedType: emailType, referrer});
     }
 
-    async _handleSignin(req, referrer = null) {
-        const {email, emailType} = req.body;
+    async _handleSignin(req, normalizedEmail, referrer = null) {
+        const {emailType} = req.body;
 
-        const member = await this._memberRepository.get({email});
+        const member = await this._memberRepository.get({email: normalizedEmail});
 
         if (!member) {
             throw new errors.BadRequestError({
@@ -672,7 +690,7 @@ module.exports = class RouterController {
         }
 
         const tokenData = {};
-        return await this._sendEmailWithMagicLink({email, tokenData, requestedType: emailType, referrer});
+        return await this._sendEmailWithMagicLink({email: normalizedEmail, tokenData, requestedType: emailType, referrer});
     }
 
     /**

package/core/server/services/members/members-api/utils/normalize-email.js

@@ -0,0 +1,31 @@
+const punycode = require('punycode/');
+
+/**
+ * Normalizes email addresses by converting Unicode domains to ASCII (punycode)
+ * This prevents homograph attacks where Unicode characters are used to spoof
+ * domains
+ *
+ * @param {string} email The email address to normalize
+ * @returns {string} The normalized email address
+ * @throws {Error} When punycode conversion fails
+ */
+function normalizeEmail(email) {
+    if (!email || typeof email !== 'string') {
+        return null;
+    }
+
+    const atIndex = email.lastIndexOf('@');
+
+    if (atIndex === -1) {
+        return email;
+    }
+
+    const localPart = email.substring(0, atIndex);
+    const domainPart = email.substring(atIndex + 1);
+
+    const asciiDomain = punycode.toASCII(domainPart);
+
+    return `${localPart}@${asciiDomain}`;
+}
+
+module.exports = normalizeEmail;

package/core/server/services/settings/SettingsBREADService.js

@@ -24,12 +24,14 @@ class SettingsBREADService {
      * @param {Object} options.singleUseTokenProvider
      * @param {Object} options.urlUtils
      * @param {Object} options.labsService - labs service instance
+     * @param {Object} options.limitsService - limits service instance
      * @param {{service: Object}} options.emailAddressService
      */
-    constructor({SettingsModel, settingsCache, labsService, mail, singleUseTokenProvider, urlUtils, emailAddressService}) {
+    constructor({SettingsModel, settingsCache, labsService, limitsService, mail, singleUseTokenProvider, urlUtils, emailAddressService}) {
         this.SettingsModel = SettingsModel;
         this.settingsCache = settingsCache;
         this.labs = labsService;
+        this.limitsService = limitsService;
         this.emailAddressService = emailAddressService;
 
         /* email verification setup */
@@ -194,6 +196,8 @@ class SettingsBREADService {
         }
 
         if (stripeConnectData) {
+            await this.limitsService.errorIfWouldGoOverLimit('limitStripeConnect');
+
             filteredSettings.push({
                 key: 'stripe_connect_publishable_key',
                 value: stripeConnectData.public_key

package/core/server/services/settings/settings-service.js

@@ -5,6 +5,7 @@
 const events = require('../../lib/common/events');
 const models = require('../../models');
 const labs = require('../../../shared/labs');
+const limits = require('../limits');
 const config = require('../../../shared/config');
 const adapterManager = require('../adapter-manager');
 const SettingsCache = require('../../../shared/settings-cache');
@@ -30,6 +31,7 @@ const getSettingsBREADServiceInstance = () => {
         SettingsModel: models.Settings,
         settingsCache: SettingsCache,
         labsService: labs,
+        limitsService: limits,
         mail,
         singleUseTokenProvider: new SingleUseTokenProvider({
             SingleUseTokenModel: models.SingleUseToken,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "5.130.1",
+  "version": "5.130.3",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -86,7 +86,7 @@
     "@tryghost/helpers": "1.1.97",
     "@tryghost/html-to-plaintext": "1.0.4",
     "@tryghost/http-cache-utils": "0.1.20",
-    "@tryghost/i18n": "file:components/tryghost-i18n-5.130.1.tgz",
+    "@tryghost/i18n": "file:components/tryghost-i18n-5.130.3.tgz",
     "@tryghost/image-transform": "1.4.6",
     "@tryghost/job-manager": "1.0.3",
     "@tryghost/kg-card-factory": "5.1.2",
@@ -233,7 +233,7 @@
     "@types/bookshelf": "1.2.9",
     "@types/common-tags": "1.8.4",
     "@types/jsonwebtoken": "9.0.10",
-    "@types/node": "22.16.4",
+    "@types/node": "22.16.5",
     "@types/node-jose": "1.1.13",
     "@types/nodemailer": "6.4.17",
     "@types/sinon": "17.0.4",
@@ -274,7 +274,7 @@
     "jackspeak": "2.3.6",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "@tryghost/i18n": "file:components/tryghost-i18n-5.130.1.tgz"
+    "@tryghost/i18n": "file:components/tryghost-i18n-5.130.3.tgz"
   },
   "nx": {
     "targets": {