Commit Graph

38761 Commits

Author SHA1 Message Date
Martin Brennan
3f7658cc6e
SECURITY: Add content-disposition: attachment for SVG uploads
* strip out the href and xlink:href attributes from use element that
  are _not_ anchors in svgs which can be used for XSS
* adding the content-disposition: attachment ensures that
  uploaded SVGs cannot be opened and executed using the XSS exploit.
  svgs embedded using an img tag do not suffer from the same exploit
2020-07-09 13:54:45 +10:00
Jeff Wong
271d6319ce Support plugin and Theme compatibility version manifests (#9995)
Adds a new rake task `plugin:checkout_compatible_all` and
`plugin:checkout_compatible[plugin-name]` that check out compatible plugin
versions.

Supports a .discourse-compatibility file in the root of plugins and themes that
list out a plugin's compatibility with certain discourse versions:

eg: .discourse-compatibility
```
2.5.0.beta6: some-git-hash
2.4.4.beta4: some-git-tag
2.2.0: git-reference
```

This ensures older Discourse installs are able to find and install older
versions of plugins without intervention, through the manifest only.

It iterates through the versions in descending order. If the current Discourse
version matches an item in the manifest, it checks out the listed plugin target.
If the Discourse version is greater than an item in the manifest, it checks out
the next highest version listed in the manifest.

If no versions match, it makes no change.
2020-07-08 15:45:47 -07:00
Régis Hanol
c33847b30d FIX: uploading an existing image as a site setting
The previous fix (f43c0a5d85) wasn't working for images that were already uploaded.
The "metadata" (eg. 'for_*' and 'secure' attributes) were not added to existing uploads.

Also used 'Upload.get_from_url' is the admin/site_setting controller to properly retrieve
an upload from its URL.

Fixed the Upload::URL_REGEX to use the \h (hexadecimal) for the SHA

Follow-up-to: f43c0a5d85
2020-07-03 19:19:14 +02:00
Régis Hanol
08407905ba FIX: uploading an image as a site setting
When uploading an image as a site setting, we need to return the "raw" URL, otherwise
when saving the site setting, the upload won't be looked up properly.

Follow-up-to: f11363d446
2020-07-03 14:59:15 +02:00
Osama Sayegh
4a10350496 FIX: Negative limit values shouldn't cause error 500 (#10162) 2020-07-02 15:15:25 -04:00
Guo Xiang Tan
e94907eea4 FIX: Delete related search data when record has been deleted. 2020-07-02 15:14:17 -04:00
Vinoth Kannan
260bb6f073 FIX: return cdn url for uploads if available.
Currently it is displaying non-cdn urls in the composer preview.
2020-07-02 15:14:01 -04:00
Robin Ward
3a14bd6b14 FIX: Support root paths that omit the trailing slash and have QPs 2020-07-02 15:13:44 -04:00
Robin Ward
81ce3c8e50 FIX: Search was not multisite aware 2020-07-02 15:13:32 -04:00
Sam Saffron
7bfbecad7e PERF: cache all metadata for 60 seconds
Clients tend to request webmanifests and such very often.

Keep the data cached for 60 seconds so it is not requested aggresively.
2020-07-02 15:12:59 -04:00
Gerhard Schlager
f69e5a4d7e FIX: Sometimes not all output of psql was logged during restores
There was a race condition which could prevent Discourse from logging the last couple of lines of output from psql.
2020-07-02 15:12:44 -04:00
Sam Saffron
43a41f3928 FIX: emoji_autocomplete_min_chars failing when not 0
autocomplete resolving to [] was causing it to stop working.
Instead we have a special const (SKIP) which ensures it will
continue to be evaluated and only this instance is skipped.
2020-07-02 15:12:30 -04:00
Mark VanLandingham
67cc6731c6 FIX: update theme fields when updating from ThemesInstallTask (#10143) 2020-07-02 15:12:15 -04:00
Régis Hanol
3de1cf128c FIX: identify slug-less topic urls everywhere
In 91c89df6, I fixed the onebox to support local topics with a slug-less URL.
This commit fixes all the other spots (search, topic links and user badges) where we look up for a local topic.

Follow-up-to: 91c89df6
2020-07-02 15:11:36 -04:00
Dan Ungureanu
1f6f1604c9 FIX: Serialize an empty array if no suggested topics exist (#10134)
It used to return nil, which was ambiguous (empty vs absent
result).
2020-07-02 15:10:52 -04:00
Joshua Rosenfeld
8fbc41d993 FIX: Broken specs
`/u/` is no longer in robots.txt, so don't test for it
2020-07-02 15:09:50 -04:00
Joshua Rosenfeld
417bdcb53a FIX: Remove paths from robots.txt in favor of noindex header
Google no longer supports the use of robots.txt to block indexing.
See https://support.google.com/webmasters/answer/6062608 and
https://support.google.com/webmasters/answer/93710

Previous commits have added the `noindex` header to appropriate pages,
now we need to remove the paths from robots.txt so the pages can be
crawled.

Follow up to:
13f229808a
b6765aac4b
676be3a853
07b728c5e5
c94e6a9a66
2020-07-02 15:09:40 -04:00
Régis Hanol
d156b7749d FIX: match discobot triggers on cooked version
In French, the help trigger has a raw content of "afficher l'aider" which is then cooked into "afficher l’aide" (note the different quote character).
Since we were checking the raw content of the trigger against the cooked version of the post, this trigger never worked in French.

This changes so that we cook the trigger before checking in against the cooked version of the post.

DEV: new 'discobot_username' method that is used everywhere instead of 'discobot_user.username' / 'discobot_user.username_lower'
2020-07-02 15:09:22 -04:00
Sam Saffron
17182edab2 FIX: invalid urls should not break store.has_been_uploaded?
Breaking this method has wide ramification including breaking
search indexing.
2020-07-02 15:09:10 -04:00
Sam Saffron
ae520b62e4 FEATURE: allow disabling of extra term injection in search
There is a feature in search where we take over from the tokenizer
in postgres and attempt to inject more words into search.

So for example: sam.i.am will inject the words i and am.

This is not ideal cause there are many edge cases and this can
cause extreme index bloat.

This is an opening move commit to make it configurable, over the
next few weeks we will evaluate and decide if we disable this by
default or simply remove.
2020-07-02 15:08:53 -04:00
Sam Saffron
5f5dd9ea67 PERF: stop adding more topics to search when not needed
The logic of adding additional search results does not seem to be
needed anymore.

It appears to be a relic of an old implementation.

This saves an entire search query for every search made.
2020-07-02 15:08:33 -04:00
Guo Xiang Tan
f10f87cc68 FIX: Avoid marking notifications as seen in readonly mode. 2020-07-02 15:08:13 -04:00
Roman Rizzi
1b17482eab FIX: Uploads cannot be mapped due to the cook-text's element attr being null (#10136) 2020-06-30 12:07:50 -03:00
David Taylor
19db1a7d2a
FIX: Correct version comparison logic when comparing stable to beta (#10135)
* FIX: Correct version comparison logic when comparing stable to beta

For example, version 1.3.0 should be considered higher than 1.3.0.beta3. So `Discourse.has_needed_version?('1.3.0', '1.3.0.beta3')` should return true

* Switch to use Gem::Version to compare versions
2020-06-30 09:37:01 +01:00
tshenry
c271b0c394
FIX: published-page-header should be a sibling to published-page-body not a parent (#10126) 2020-06-25 14:59:33 -07:00
Neil Lalonde
6a42acbfb7
Version bump to v2.5.0 2020-06-24 13:56:53 -04:00
Neil Lalonde
eb10109c99
Merge diffs from master 2020-06-24 13:48:37 -04:00
Neil Lalonde
607d00f780
Merge master 2020-06-24 13:47:36 -04:00
Neil Lalonde
8e07ee7e36
Update translations
Carefully because permalink.external_url is untranslated in many
locales due to a recent change in client.en.yml in 516a03be09.
2020-06-24 10:47:45 -04:00
Régis Hanol
7109d94ee7 FIX: properly invalidate inline oneboxes when rebaking
When rebaking a post we were invalidating _regular_ oneboxes but not inline oneboxes.

DEV: also renamed 'InlineOneboxer.purge' to 'InlineOneboxer.invalidate' to keep
the API consistent with 'Oneboxer.invalidate'
2020-06-24 11:54:54 +02:00
Joffrey JAFFEUX
df1f804400
FIX: ensures moderation history is accessible from topic/post admin menu (#10118) 2020-06-24 10:49:47 +02:00
Bianca Nenciu
75151f0457
FIX: Use correct URL for unsubscribe (#10077) 2020-06-24 09:31:20 +02:00
Sam Saffron
9ffc022cf4
DEV: improve verbose mode for reindexer
This makes the verbose mode provide a bit of progress notification
while reindexing as it can take many hours to do a giant site
2020-06-24 17:29:45 +10:00
Sam Saffron
2987901043
FIX: skip category notification_level unless scoped
#b19dcac2 improved the serializer so it sends default notification
levels to users to work around cases where a category edit would
would result in clients being left with invalid notification state

Unfortunately this did not address the root issue.

When we edit categories we publish state to multiple users this
means that the serializer is executed unscoped with no user.

The client already handles this case per:

dcad720a4c/app/assets/javascripts/discourse/app/models/site.js (L119-L119)

If a property is not shipped to it, it will leave it alone on the
existing category.


This fix ensures that these wide category info updates do not
include notification state to avoid corruption of local state.
2020-06-24 17:08:12 +10:00
Jarek Radosz
0e2f7ecfd0
DEV: Make component-test afterEach async aware (#10099)
Before this fix, if a test case was async, `afterEach` callback would be executed immediately, without waiting for the test to finish. 😬
2020-06-24 16:03:38 +10:00
Bianca Nenciu
843bf0df75
FIX:Add migration to delete tracking state for staged users (#10083) 2020-06-24 15:58:14 +10:00
Kane York
52278ce6fd
FIX: Use Discourse.system_user when we need a placeholder admin (#9781) 2020-06-24 15:51:30 +10:00
Neil Lalonde
713298c622
FIX: advanced tutorial errors when all categories are secured (#10111)
The category hashtag step will fail with an error when all
categories aren't public. Choose a category that the user can see.
2020-06-24 15:45:50 +10:00
Bianca Nenciu
42226e12ee
FEATURE: Add after-user-name plugin outlet (#10113) 2020-06-24 15:45:11 +10:00
Sam Saffron
dcad720a4c
DEV: add optional verbose logging to re-index job
This verbose logging can be useful when executing the job by hand
for debugging purposes

In general people will not use this
2020-06-24 15:37:08 +10:00
Guo Xiang Tan
b28d97b64a
FIX: Bump onebox for twitch video and clips embedding fix. 2020-06-24 11:00:30 +08:00
dependabot-preview[bot]
e0cd7ddada Build(deps): Bump excon from 0.74.0 to 0.75.0
Bumps [excon](https://github.com/excon/excon) from 0.74.0 to 0.75.0.
- [Release notes](https://github.com/excon/excon/releases)
- [Changelog](https://github.com/excon/excon/blob/master/changelog.txt)
- [Commits](https://github.com/excon/excon/compare/v0.74.0...v0.75.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-06-24 09:35:51 +08:00
dependabot-preview[bot]
f6ad0d3fac Build(deps): Bump diff-lcs from 1.4 to 1.4.1
Bumps [diff-lcs](https://github.com/halostatue/diff-lcs) from 1.4 to 1.4.1.
- [Release notes](https://github.com/halostatue/diff-lcs/releases)
- [Changelog](https://github.com/halostatue/diff-lcs/blob/master/History.md)
- [Commits](https://github.com/halostatue/diff-lcs/compare/v1.4...v1.4.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-06-24 09:35:12 +08:00
Jarek Radosz
13087cab54 FIX: Prevent typing "#" when showing "Jump to…"
Closes https://meta.discourse.org/t/the-shortcut-behaves-wrong-in-some-browsers/155531
2020-06-24 00:25:54 +02:00
Rafael dos Santos Silva
4c543b4a49
UX: Make youtube embeds full width by default (#10106)
* UX: Make youtube embeds full width by default

* UX: Make youtube embeds fluid by default actually

* Remove double sizes in yt-lazy
2020-06-23 17:21:36 -03:00
dependabot-preview[bot]
4a189f396e
Build(deps): Bump diff-lcs from 1.3 to 1.4 (#10112)
Bumps [diff-lcs](https://github.com/halostatue/diff-lcs) from 1.3 to 1.4.
- [Release notes](https://github.com/halostatue/diff-lcs/releases)
- [Changelog](https://github.com/halostatue/diff-lcs/blob/master/History.md)
- [Commits](https://github.com/halostatue/diff-lcs/compare/v1.3...v1.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-06-23 12:46:46 -04:00
Régis Hanol
91c89df68a FIX: onebox local topic when using slug-less URL
When linking to a topic in the same Discourse, we try to onebox the link to show the title
and other various information depending on whether it's a "standard" or "inline" onebox.

However, we were not properly detecting links to topics that had no slugs (eg. https://meta.discourse.org/t/1234).
2020-06-23 17:18:38 +02:00
dependabot-preview[bot]
50ea3c8743
Build(deps): Bump rails_failover from 0.5.1 to 0.5.2 (#10107)
Bumps rails_failover from 0.5.1 to 0.5.2.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-06-23 10:45:15 -04:00
David Taylor
c5078e5dc1
DEV: Remove accidentally committed puts statements 2020-06-23 12:41:47 +01:00
Daniel Waterworth
368af327fa DEV: Reduce size of begin-rescue region
Follow-up-to: e3e7905d9e
2020-06-23 10:14:09 +01:00