Commit Graph

34242 Commits

Author SHA1 Message Date
Rafael dos Santos Silva
ad7a13921f
FIX: Use cached MaxMind DB for longer
Don't try to update the IP database as it's gone.

This allows users to rebuild Discourse while we work on a proper
fix / alternative database.
2019-12-31 13:07:43 -03:00
Robin Ward
a6701d8710 FIX: Gemfile bundler was breaking build
We update bundler in app.yml and the version received was too
new for our Gemfile.lock
2019-12-26 14:40:27 -05:00
Robin Ward
6e88dde635 FIX: Build was broken due to missing file
It seems a file was in the base image but .gitignored, so the
stable branch got into a weird state.
2019-12-26 14:40:13 -05:00
Neil Lalonde
d4e0eb63a2 Version bump to v2.3.8 2019-12-19 14:22:00 -05:00
David Taylor
ff4a6a37de SECURITY: Correct permission check when revoking user API keys 2019-12-17 11:07:36 +00:00
Krzysztof Kotlarek
1c49875048 SECURITY: vulnerability in WildcardUrlChecker 2019-12-13 09:55:43 -05:00
Krzysztof Kotlarek
e1e571d32c SECURITY: upgrade rack-mini-profiler to avoid possible XSS (#8537) 2019-12-12 13:23:09 +11:00
Dan Ungureanu
554b0f366d
SECURITY: Ensure only image uploads can be inlined
This prevents malicious files (for example special crafted XMLs) to be
used in XSS attacks.
2019-12-11 17:08:58 +02:00
Dan Ungureanu
43ddb6b36d
SECURITY: Remove event handlers from SVG files 2019-12-11 17:08:57 +02:00
Neil Lalonde
5b17584adb Version bump to v2.3.7 2019-12-05 13:11:05 -05:00
Joffrey JAFFEUX
5cb00d5528 DEV: s/\$redis/Discourse\.redis
With manual merge conflicts
2019-12-03 14:26:57 +01:00
Sam Saffron
14db879a31 DEV: Implement a faster Discourse.cache
This is a bottom up rewrite of Discourse cache to support faster performance
and a limited surface area.

ActiveSupport::Cache::Store accepts many options we do not use, this partial
implementation only picks the bits out that we do use and want to support.

Additionally params are named which avoids typos such as "expires_at" vs "expires_in"

This also moves a few spots in Discourse to use Discourse.cache over setex
Performance of setex and Discourse.cache.write is similar.
2019-12-03 14:03:30 +01:00
Sam Saffron
ef791a5b1f DEV: use Discourse.cache over Rails.cache
With manual merge
2019-12-03 14:03:21 +01:00
Neil Lalonde
69983297ed Version bump to v2.3.6 2019-11-06 12:46:03 -05:00
David Taylor
914e50db49 DEV: Update users controller spec following user_search update 2019-11-06 17:32:10 +00:00
Robin Ward
5f01814397 FIX: Handle nil case for avatar, just in case 2019-10-28 11:30:34 -03:00
Robin Ward
069d358c80 FIX: Allow avatar downloads to follow redirects 2019-10-28 11:30:21 -03:00
David Taylor
c38c37bcc3 SECURITY: Check permissions when autocompleting mentions 2019-10-28 12:20:26 +00:00
Robin Ward
afea20953f FIX: Broken certificates 2019-10-24 14:13:27 -03:00
Roman Rizzi
3a73f29928 FIX: Rate limit and hijack certificate generation. (#8215)
To eliminate a DDOS attack vector, we're taking the following measures:

The endpoint will be rate-limited to 3 requests every 60 seconds (per user).
A 24 hours max-age cache header is sent with the response.
The route will be hijacked to generate the certificate in the background.
2019-10-22 15:39:58 -03:00
Krzysztof Kotlarek
5bcc1c1cd5 FIX: Narrative Bot certificates are ERB templates (#8174)
There are at least two ways of rendering templates outside of the controller. The first one is Rails way enabled with Rails 5 https://evilmartians.com/chronicles/new-feature-in-rails-5-render-views-outside-of-actions
The downside of this method is that all variables need to be passed as params (I could find a way to pass the whole context)

Another way is to use instance_eval described in Erubi documentation
https://github.com/jeremyevans/erubi#usage - it works perfectly fine, however, I didn't feel very confident about using eval unless necessary.

An additional benefit of using `ApplicationController.render` is that if Rails would change the ERB engine in the future, this code should still work.

If you want to test it on your local, you need to be signed in and then that two URLs are generating certificates:
http://localhost:3000/discobot/certificate.svg?date=Oct+07+2019&type=standard&user_id=1
http://localhost:3000/discobot/certificate.svg?date=Oct+07+2019&type=advanced&user_id=1

Dev: https://dev.discourse.org/t/discourse-narrative-bot-should-not-be-storing-giant-strings/17130
2019-10-22 15:39:42 -03:00
Neil Lalonde
76f6ee501f Version bump to v2.3.5 2019-10-10 11:44:33 -04:00
Roman Rizzi
e4570ffb78 DEV: Bump uglifyjs (#7834)
* Rewrite uglifyjs command to work with 3.x

* Use ES5 syntax in plain JS files

* Use the older command if uglifyJS V2.x is installed
2019-10-09 10:36:15 -03:00
Sam Saffron
8f001bdb1b SECURITY: mini profiler enabled incorrectly for admins
We expect mini profiler only to show up on accounts that are flagged as
developer accounts.

Unfortunately there was a bypass on any controllers that mix in ApplicationHelper
2019-10-09 12:50:58 +11:00
David Taylor
68fc799380 DEV: Allow specifying button class in reviewable action definitions (#8093)
This avoids the need for using `@extend` in SCSS, which can be problematic in plugins

For context, see https://review.discourse.org/t/fix-make-compatible-with-debundled-plugin-css-assets-feature/5297/7
2019-10-08 15:06:15 -03:00
Sam Saffron
67e8fbc480 FIX: change focus when application resumes in android
Per new lifecycle https://developers.google.com/web/updates/2018/07/page-lifecycle-api

On Android and latest Chrome when an app transitions from "frozen" to
active the new "resume" event fires with no accompanying "visibilitychange"
event.

This means that often background tabs may be stuck thinking that discourse
has no focus when, indeed, it has.

This leads to cases where no posts are marked read anymore.
2019-10-08 00:04:54 +02:00
Neil Lalonde
3e73c0a34d Version bump to v2.3.4 2019-10-01 17:43:25 -04:00
romanrizzi
ba3dbcc117 Spec should not depend on aliases 2019-10-01 18:35:41 -03:00
Robin Ward
cd20d0fdfd SECURITY: Don't allow base_uri as embeddable host if none exist 2019-10-01 17:58:39 +02:00
Sam Saffron
fd0bb34001 SECURITY: update rack-mini-profiler to latest to correct XSS
This corrects an XSS in ?pp=help.

Also removes the jQuery dependency from rack-mini-profiler and restricts
memory sensitive profiling methods development only.
2019-10-01 16:56:51 +10:00
Penar Musaraj
6e04120e71 SECURITY: XSS when oneboxing user profile location field
The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
2019-09-17 16:36:53 -04:00
Roman Rizzi
fd1a2a4c07 FIX: Improve protection against problematic usernames (#8097) 2019-09-13 15:52:05 -03:00
Penar Musaraj
051462cbe2 FIX: IE grid layout issue on user's own activity page 2019-09-12 11:15:47 -04:00
Nick Quaranto
21c11c2bb2 Use Discourse.getURL for /clicks/track so clicks can be tracked on relative URLs (#8079) 2019-09-09 23:17:43 -07:00
Régis Hanol
39a427efce DEV: plugin API to register User custom field types 2019-09-06 12:16:59 +02:00
Roman Rizzi
24fc0aba9b FIX: :reject_user_delete action can only be handled by ReviewableUser (#8068) 2019-09-05 11:44:16 -03:00
Jeff Wong
b72dbb0be0 FEATURE: add before-topic-progress plugin outlet 2019-09-04 11:29:05 -07:00
Neil Lalonde
046b6300d1 Version bump to v2.3.3 2019-09-04 10:44:22 -04:00
Roman Rizzi
52fdc1468d Feature/Fix: Flagged posts user notifications (#8041)
* FIX: User should get notified when a post is deleted

* FEATURE: Notify posters when restoring flagged posts

* Fix typo

Co-Authored-By: Régis Hanol <regis@hanol.fr>

* Improve tests
2019-09-02 15:22:03 -03:00
David Taylor
51b7f4d900 FIX: When activating via omniauth, create tokens after password reset
Resetting a password invalidates all email tokens, so we need to create the tokens after the password reset.
2019-08-28 14:50:07 +01:00
David Taylor
3b9e8a0849 FIX: When activating a user, ensure the change is reflected immediately
When activating a user via an external provider, this would cause the "this account is not activated" message to show on the first attempt, even though the account had been activated correctly.
2019-08-28 14:09:03 +01:00
David Taylor
f80f8a34c0 SECURITY: Reset password when activating an account via auth provider
Followup to d693b4e35fe0e58c5578eae4a56c06dff4756ba2
2019-08-28 14:08:55 +01:00
Sam Saffron
a3d42e2c52 FIX: add_to_serializer not correctly accounting for inheritance chains
This is a very long standing bug we had, if a plugin attempted to amend a
serializer core was not "correcting" the situation for all descendant classes
this often only showed up in production cause production eager loads serializers
prior to plugins amending them.

This is a critical fix for various plugins
2019-08-27 18:23:32 +10:00
Sam Saffron
6477531098 SECURITY: add rate limiting to anon JS error reporting
This adds a 1 minute rate limit to all JS error reporting per IP. Previously
we would only use the global rate limit.

This also introduces DISCOURSE_ENABLE_JS_ERROR_REPORTING, if it is set to
false then no JS error reporting will be allowed on the site.
2019-08-20 11:31:58 +10:00
Arpit Jalan
aea541d037 SECURITY: don't reveal category details to users that do not have access 2019-08-19 12:51:15 +05:30
David Taylor
d237da16c5 SECURITY: Restrict message-bus access on login_required sites 2019-08-14 10:11:28 +01:00
Gerhard Schlager
ab3e18090f FIX: Disallow user self-delete when user posted in PMs
All posts created by the user are counted unless they are deleted,
belong to a PM sent between a non-human user and the user or belong
to a PM created by the user which doesn't have any other recipients.

It also makes the guardian prevent self-deletes when SSO is enabled.
2019-08-10 12:06:40 +02:00
Roman Rizzi
0be47023d4 FIX: Use unescaped title as combo-box id (#7979) 2019-08-08 12:52:34 -03:00
David Taylor
b1d2e4daf3 FIX: Composer preview on IE11 (#7970)
Add the Array.from polyfill for IE11. This is required to support the transpiled ES6 spread syntex generated by babel: https://babeljs.io/docs/en/caveats/
2019-08-05 14:44:13 +01:00
Sam Saffron
c587df7e2a Revert "FEATURE: add Noindex to robots.txt for disallowed routes"
This reverts commit d84256a876.

This is not supported by Google and causes robots.txt to be flagged as
invalid

Removing Noindex
2019-07-30 11:37:00 +10:00