Robin Ward
fe8bd92f71
SECURITY: SQL injection with default categories
...
This is a low severity security fix because it requires a logged in
admin user to update a site setting via the API directly to an invalid
value.
The fix adds validation for the affected site settings, as well as a
secondary fix to prevent injection in the event of bad data somehow
already exists.
2019-07-11 13:53:12 -04:00
Robin Ward
4fd470e63d
SECURITY: Strip HTML from invite emails
...
We also strip new lines from the emails because it ruins the markdown
formatting which expects a one line message.
2019-07-05 14:58:46 -04:00
Gerhard Schlager
b549cab2ad
FIX: Don't send notification email when user isn't allowed to see topic
2019-07-02 09:05:36 +10:00
Neil Lalonde
04be572a92
Merge diffs from master
2019-06-17 20:07:19 -04:00
Neil Lalonde
a4308fdd43
Merge master
2019-06-17 20:04:04 -04:00
Jeff Wong
893b50031d
replace subfolder on cdn url conversion between general cdn and s3 ( #7764 )
...
When both a cdn URL and an s3 cdn URL defined, subfolder paths were leaking
through to the s3 cdn URL. If we are replacing the cdn url with the s3_cdn url,
we also need to make sure that the subpath is removed as well, as it appears in
the original cdn url.
The test should give a fairly good gist of the situations - in subfolder
situations where s3_cdn and a cdn is defined:
`asset_path` returns the asset with a subfolder, in the form `{cdn_url}/{subfolder}/{asset_path}`
Currently this is being replaced to `{s3_cdn_url}/{subfolder}/{asset_path}`
I am proposing we change this to: `{s3_cdn_url}/{asset_path}` as it seems like
for s3_cdn urls we should not be carrying around app subfolder pathing anywhere
we are looking up s3 paths.
2019-06-17 11:51:17 -07:00
David Taylor
40cbcc7720
SECURITY: Add confirmation screen when logging in via email link
2019-06-17 18:20:48 +01:00
David Taylor
e6e47f2fb2
SECURITY: Add confirmation screen when logging in via user-api OTP
2019-06-17 16:18:44 +01:00
David Taylor
52387be4a4
SECURITY: Add confirmation screen when logging in via email link
2019-06-17 16:18:37 +01:00
David Taylor
5f6f707080
Revert "Merge pull request from GHSA-hv9p-jfm4-gpr9"
...
This reverts commit b8340c6c8e
.
2019-06-17 16:17:10 +01:00
David Taylor
b8340c6c8e
Merge pull request from GHSA-hv9p-jfm4-gpr9
...
* SECURITY: Add confirmation screen when logging in via email link
* SECURITY: Add confirmation screen when logging in via user-api OTP
* FIX: Correct translation key in session controller specs
* FIX: Use .email-login class for page
2019-06-17 15:59:41 +01:00
Arpit Jalan
863d8014d0
FIX: respond with 400 error on invalid redirect param
2019-06-17 16:44:30 +05:30
Sam Saffron
704c579550
FIX: do not allow unbound membership lookups
...
Previously we would allow looking up membership limits in an unbound way
via the API, this introduces an upper limit of 1000 per page.
2019-06-17 15:32:06 +10:00
Sam Saffron
fe4f0a4369
FIX: staged users should not be included in TL groups
...
staged users should not be included in any automatic groups cause for all
purposes they do not exist.
2019-06-17 15:10:47 +10:00
Guo Xiang Tan
5d16d10a9e
DEV: Fix edge case for InlineUploads
.
2019-06-14 13:48:03 +08:00
Guo Xiang Tan
befb074c98
DEV: InlineUploads
should process CDN upload URLs as well.
2019-06-14 13:14:37 +08:00
Guo Xiang Tan
41abebcbce
DEV: Support both http
and https
for InlineUploads
.
2019-06-14 12:48:31 +08:00
Guo Xiang Tan
c9db897777
FIX: Remove onebox src from Jobs::PullHotlinkedImages
.
...
The test that was added is incorrect because the post was not cooked.
2019-06-14 09:21:25 +08:00
Vinoth Kannan
35d6fff69e
PERF: use url instead of file key in temporary inventory table.
2019-06-13 22:03:58 +05:30
Guo Xiang Tan
7a0d031bc4
FIX: InlineUploads
matching on external bbcode img url.
2019-06-13 13:47:36 +08:00
Guo Xiang Tan
782e583844
FIX: Edge cases with markdown references for InlineUploads
.
2019-06-13 12:08:01 +08:00
Guo Xiang Tan
93c552afda
FIX: InlineUploads
does not correct urls with uppercase extension.
2019-06-13 11:19:33 +08:00
Maja Komel
b4686934dd
DEV: add spec for removed group bio
2019-06-12 18:03:29 +02:00
Arpit Jalan
7b66f8fb46
DEV: optimize bulk invite process
2019-06-12 16:33:19 +05:30
Guo Xiang Tan
641521896c
FIX: Cover more edge cases in InlineUploads
.
2019-06-12 17:06:58 +08:00
Sam Saffron
739696fdf0
DEV: improve spec to specify all code block formats
...
Previously we only covered a few, this covers a few more formats.
2019-06-12 18:34:30 +10:00
Sam Saffron
89c4332ac1
DEV: correct spec making bad assumptions
...
bio_cooked is not meant to be touched directly, on save we "cook" the raw
bio.
2019-06-12 16:31:50 +10:00
Guo Xiang Tan
73bf880f74
FIX: Correct more edge cases with InlineUploads
.
2019-06-12 10:44:25 +08:00
Guo Xiang Tan
ff48fbdfda
FIX: InlineUploads
raises an error when img tag is invalid.
2019-06-12 10:31:00 +08:00
Bianca Nenciu
934adb14d2
FIX: On tag change notify only users watching the tag. ( #7707 )
2019-06-11 18:06:54 +03:00
Vinoth Kannan
1881e895dc
SPEC: correctly skips invalid upload urls
...
788f995f30
2019-06-11 20:15:40 +05:30
Vinoth Kannan
788f995f30
FIX: skip external urls which has upload url in query string.
...
Add spec tests for post.each_upload_url method. e8fafbc123
2019-06-11 19:55:02 +05:30
Arpit Jalan
e2636f0ec7
FIX: handle array in redirect param
2019-06-11 17:49:09 +05:30
Guo Xiang Tan
40e67971f9
DEV: Add spec for Email::Sender
for upload links in plain text emails.
2019-06-11 16:02:24 +08:00
Guo Xiang Tan
fb0a655e8a
FEATURE: Update pull hotlinked images to use Upload#short_url
.
2019-06-11 15:17:29 +08:00
Guo Xiang Tan
42ab016856
FIX: Use markdown for images and attachments in Email::Receiver
.
2019-06-11 14:49:46 +08:00
Guo Xiang Tan
9d0fba64c0
FIX: Use attachment format in user export system post take 2.
2019-06-11 12:15:11 +08:00
Guo Xiang Tan
06d974d55c
FEATURE: Add base62 sha1 to cooked data attribute
...
* FEATURE: Add base62 sha1 to data attribute in `Post#cooked`.
* FIX: Use `Upload#short_url` when quoting an image.
2019-06-11 11:15:45 +10:00
Sam Saffron
7b17eb06da
FEATURE: ban any SSO attempts with invalid external id
...
We now treat any external_id of blank string (" " or " " or "", etc) or a
invalid word (none, nil, blank, null) - case insensitive - as invalid.
In this case the client will see "please contact admin" the logs will explain
the reason clearly.
2019-06-11 10:04:26 +10:00
Robin Ward
ef37af5ab0
FIX: Broken spec
2019-06-10 11:50:48 -04:00
Robin Ward
8c4e16eafd
FIX: In reply to would sometimes have a broken link
2019-06-10 11:33:10 -04:00
Guo Xiang Tan
799bd62803
DEV: Improve PrettyText
spec to test for markdown image title attr.
2019-06-10 11:00:23 +08:00
Vinoth Kannan
45aebd00a5
SPEC: improve the spec using stubbed S3 client.
...
4d1204b5e8
2019-06-08 18:10:35 +05:30
Gerhard Schlager
19edc4abb8
FIX: English locale must not fall back to any other locale
2019-06-07 21:53:01 +02:00
Neil Lalonde
a08b2589d4
FIX: removing hidden tag bumps topic when all tags are removed
...
JS sends empty string to remove all tags.
2019-06-07 14:25:46 -04:00
Gerhard Schlager
bae7b75e23
FIX: Updating a user profile as admin shouldn't change the user's locale
2019-06-07 17:53:46 +02:00
David Taylor
e3a9a2d2dd
FIX: Avoid infinite loop if disk space is low
...
We now continue to enqueue the pull_hotlinked_images job for optimized images, even if disk space is low
2019-06-07 14:24:22 +01:00
David Taylor
65b0cafc03
FIX: Always schedule pull_hotlinked_images in cooked_post_processor
...
The job is now used to pull optimized images, and images from other sites on the same CDN. This needs to run even if download_remote_images is false
2019-06-07 13:08:23 +01:00
David Taylor
54afa314fb
FIX: Do not download emojis in pull_hotlinked_images
2019-06-07 13:00:52 +01:00
Sam Saffron
f88dced0b7
PERF: optimize lookup of reviewable info in post stream
...
This previously was a hot path in topic view. Avoids an expensive active
record operation and instead perform SQL directly which is far more
targeted and efficient
2019-06-07 18:12:30 +10:00