Commit Graph

28482 Commits

Author SHA1 Message Date
Robin Ward
52ca0893e1 FIX: Broken specs 2018-08-28 14:29:38 +08:00
Neil Lalonde
911044f8a0 Version bump to v2.0.4 2018-08-21 11:53:29 -04:00
Guo Xiang Tan
5778c33ee7 FIX: Compatibility with ImageMagick 7.
http://www.imagemagick.org/Usage/misc/

"The "-interpolate" setting of 'Catrom' (generally imprecisely known as 'BiCubic' interpolation)"
2018-08-16 09:49:52 +08:00
Neil Lalonde
37a01975e9 SECURITY: prevent use of X-Forwarded-Host to perform XSS 2018-08-13 17:10:06 -04:00
Neil Lalonde
49681b762a Version bump to v2.0.3 2018-07-26 14:14:22 -04:00
David Taylor
6f5b8f61df FIX: Remove return statement from inside block 2018-07-26 16:00:45 +01:00
Régis Hanol
aeaf6b5a7c SECURITY: force IM decoder based on file extension - part 3 2018-07-25 23:55:41 +02:00
Régis Hanol
01714e40f4 SECURITY: force IM decoder based on file extension - part 2 2018-07-25 23:08:38 +02:00
Régis Hanol
b04b7c366c SECURITY: force IM decoder based on file extension 2018-07-25 22:01:08 +02:00
David Taylor
6520697b5c FIX: Remove plugin.enabled? checks at initialization time (#6166)
Checking `plugin.enabled?` while initializing plugins causes issues in two ways:
- An application restart is required for changes to take effect. A load-balanced multi-server environment could behave very weirdly if containers restart at different times.
- In a multisite environment, it takes the `enabled?` setting from the default site. Changes on that site affect all other sites in the cluster.

Instead, `plugin.enabled?` should be checked at runtime, in the context of a request. This commit removes `plugin.enabled?` from many `instance.rb` methods.

I have added a working `plugin.enabled?` implementation for methods that actually affect security/functionality:
- `post_custom_fields_whitelist`
- `whitelist_staff_user_custom_field`
- `add_permitted_post_create_param`
2018-07-25 16:51:45 +01:00
Robin Ward
878aee965b SECURITY: Consider 0.0.0.0 a private IP 2018-07-24 11:17:13 -04:00
Sam
cf9b4a789b FIX: update mini_racer in stable
This is required due to a bundler/build bug that means it is picking the wrong
version of libv8 when compiling mini_racer
2018-07-24 12:25:45 +10:00
Vinoth Kannan
b7ebb0268f FIX: returns provider_not_enabled error even if enabled 2018-07-16 11:08:48 +01:00
Sam
297b899c68 SECURITY: extra CORS headers should be set on correct host 2018-07-11 09:29:45 +10:00
David Taylor
6f25421a06 SECURITY: Do not allow authentication with disabled plugin-supplied a… (#6071)
Do not allow authentication with disabled plugin-supplied auth providers
2018-07-09 14:26:44 +10:00
Sam
849b4b5685 SECURITY: category badges should HTML escape names 2018-06-28 18:16:12 +10:00
Joffrey JAFFEUX
aafd883466 SECURITY: prevents XSS when showing tooltip 2018-06-27 14:53:31 +02:00
Dax74
612bc4f95b
Link updated
See https://meta.discourse.org/t/wrong-link-on-manual-admin-creation/90849
2018-06-27 11:41:03 +02:00
Neil Lalonde
34ad6749db FIX: missing translations for mobile flag modal 2018-06-25 20:21:47 -04:00
Neil Lalonde
365c99cf3f Version bump to v2.0.2 2018-06-21 10:39:00 -04:00
Sam
f2cb89b0d2 SECURITY: update sprockets for CVE-2018-3760 2018-06-20 09:50:28 +10:00
Guo Xiang Tan
a90364ac6c Monkey patch in 7830a950ef 2018-06-19 10:36:20 +08:00
Neil Lalonde
8c3380791b Version bump to v2.0.1 2018-06-12 12:13:47 -04:00
Joffrey JAFFEUX
5e4a1e812a UX: reworks dashboard problems section to be in line with new style 2018-06-12 11:48:53 -04:00
Arpit Jalan
57f5f7d755 FIX: do not show SSO external_email to moderators 2018-06-12 11:48:10 -04:00
Guo Xiang Tan
ff7cbf6935 FIX: Ensure we have proper timeout for MiniRacer. 2018-06-12 11:48:08 -04:00
Joe
7c9aa82625 FIX: adjust 2FA input width in mobile login form 2018-06-12 11:48:08 -04:00
Joe
1612c28718 FIX: adjust max-width of social login buttons for non-English locals 2018-06-12 11:48:07 -04:00
Neil Lalonde
a8d2d24a49 fix indent 2018-06-12 11:48:07 -04:00
Neil Lalonde
a279e43025 FIX: broken mailto href's in emails 2018-06-12 11:48:07 -04:00
Joffrey JAFFEUX
2b3faa8d0b FIX: do not use number helper for charts Y value 2018-06-12 11:48:06 -04:00
Joffrey JAFFEUX
940c0f569f FIX: incorrect backup and update times on dashboard 2018-06-12 11:48:06 -04:00
Joffrey JAFFEUX
e66d5425e4 FIX: slightly safer rounding 2018-06-12 11:48:06 -04:00
Joffrey JAFFEUX
2f84d43bb2 FIX: makes format number round the value before using parseInt 2018-06-12 11:48:05 -04:00
Joe
134300001c FIX: user-fields layout in desktop create account form 2018-06-12 11:48:05 -04:00
Joffrey JAFFEUX
7c57cd6897 FIX: removes buggy/unnecessary local-dates margin 2018-06-12 11:48:05 -04:00
Joe
cb9753267a FIX: user-fields layout in mobile create account form 2018-06-12 11:48:04 -04:00
Vinoth Kannan
17e7d3b526 FIX: avatar_url includes upload_path twice when local storage used 2018-06-12 11:48:04 -04:00
Guo Xiang Tan
b7865bac27 FIX: Permalink route matcher should always be last. 2018-06-12 11:48:04 -04:00
Guo Xiang Tan
a74d62d618 FIX: Disconnects all connections in the pool before forking.
* We were leaking connections as a result. Connections opened
  before the fork were never closed.
2018-06-12 11:48:03 -04:00
Régis Hanol
db3f31a841 FIX: unable to add new poll to post with a public poll 2018-06-12 11:48:03 -04:00
Joffrey JAFFEUX
9334d36a23 FIX: sharing popup not showing on macos/chrome
Despite `navigator.share` being defined the call was failing with this error:

```
sharing DOMException: Internal error: could not connect to Web Share interface.
```
2018-06-12 11:48:03 -04:00
Robin Ward
e37af71f2e FIX: Protection against dangling category group records 2018-06-12 11:48:02 -04:00
Robin Ward
abbb0ece4f FIX: Keyboard shortcuts didn't work on subfolders 2018-06-12 11:48:02 -04:00
Joe
08aca35b37 FIX: alignment for instructions on change email and 2FA fields 2018-06-12 11:48:02 -04:00
Blake Erickson
afbbdfc05f FIX: Allow a user to remove their title
Somewhere there was a regression and a user couldn't remove their own
title. If they selected '(none)' in the UI it would say it was saved,
but it would not actually be updated in the db.
2018-06-12 11:48:01 -04:00
Neil Lalonde
e90f80e788 Update translations 2018-06-08 10:45:46 -04:00
Neil Lalonde
894d287a7f Version bump to v2.0.0 2018-05-31 18:24:41 -04:00
Kris
0aa8d75be1 safety so pre blocks can't break modal width 2018-05-31 18:23:32 -04:00
Kris
12ebcc325b envelope missing on invite page, long pre lines making modals wide 2018-05-31 18:19:59 -04:00