Commit Graph

34230 Commits

Author SHA1 Message Date
Sam Saffron
ef791a5b1f DEV: use Discourse.cache over Rails.cache
With manual merge
2019-12-03 14:03:21 +01:00
Neil Lalonde
69983297ed Version bump to v2.3.6 2019-11-06 12:46:03 -05:00
David Taylor
914e50db49 DEV: Update users controller spec following user_search update 2019-11-06 17:32:10 +00:00
Robin Ward
5f01814397 FIX: Handle nil case for avatar, just in case 2019-10-28 11:30:34 -03:00
Robin Ward
069d358c80 FIX: Allow avatar downloads to follow redirects 2019-10-28 11:30:21 -03:00
David Taylor
c38c37bcc3 SECURITY: Check permissions when autocompleting mentions 2019-10-28 12:20:26 +00:00
Robin Ward
afea20953f FIX: Broken certificates 2019-10-24 14:13:27 -03:00
Roman Rizzi
3a73f29928 FIX: Rate limit and hijack certificate generation. (#8215)
To eliminate a DDOS attack vector, we're taking the following measures:

The endpoint will be rate-limited to 3 requests every 60 seconds (per user).
A 24 hours max-age cache header is sent with the response.
The route will be hijacked to generate the certificate in the background.
2019-10-22 15:39:58 -03:00
Krzysztof Kotlarek
5bcc1c1cd5 FIX: Narrative Bot certificates are ERB templates (#8174)
There are at least two ways of rendering templates outside of the controller. The first one is Rails way enabled with Rails 5 https://evilmartians.com/chronicles/new-feature-in-rails-5-render-views-outside-of-actions
The downside of this method is that all variables need to be passed as params (I could find a way to pass the whole context)

Another way is to use instance_eval described in Erubi documentation
https://github.com/jeremyevans/erubi#usage - it works perfectly fine, however, I didn't feel very confident about using eval unless necessary.

An additional benefit of using `ApplicationController.render` is that if Rails would change the ERB engine in the future, this code should still work.

If you want to test it on your local, you need to be signed in and then that two URLs are generating certificates:
http://localhost:3000/discobot/certificate.svg?date=Oct+07+2019&type=standard&user_id=1
http://localhost:3000/discobot/certificate.svg?date=Oct+07+2019&type=advanced&user_id=1

Dev: https://dev.discourse.org/t/discourse-narrative-bot-should-not-be-storing-giant-strings/17130
2019-10-22 15:39:42 -03:00
Neil Lalonde
76f6ee501f Version bump to v2.3.5 2019-10-10 11:44:33 -04:00
Roman Rizzi
e4570ffb78 DEV: Bump uglifyjs (#7834)
* Rewrite uglifyjs command to work with 3.x

* Use ES5 syntax in plain JS files

* Use the older command if uglifyJS V2.x is installed
2019-10-09 10:36:15 -03:00
Sam Saffron
8f001bdb1b SECURITY: mini profiler enabled incorrectly for admins
We expect mini profiler only to show up on accounts that are flagged as
developer accounts.

Unfortunately there was a bypass on any controllers that mix in ApplicationHelper
2019-10-09 12:50:58 +11:00
David Taylor
68fc799380 DEV: Allow specifying button class in reviewable action definitions (#8093)
This avoids the need for using `@extend` in SCSS, which can be problematic in plugins

For context, see https://review.discourse.org/t/fix-make-compatible-with-debundled-plugin-css-assets-feature/5297/7
2019-10-08 15:06:15 -03:00
Sam Saffron
67e8fbc480 FIX: change focus when application resumes in android
Per new lifecycle https://developers.google.com/web/updates/2018/07/page-lifecycle-api

On Android and latest Chrome when an app transitions from "frozen" to
active the new "resume" event fires with no accompanying "visibilitychange"
event.

This means that often background tabs may be stuck thinking that discourse
has no focus when, indeed, it has.

This leads to cases where no posts are marked read anymore.
2019-10-08 00:04:54 +02:00
Neil Lalonde
3e73c0a34d Version bump to v2.3.4 2019-10-01 17:43:25 -04:00
romanrizzi
ba3dbcc117 Spec should not depend on aliases 2019-10-01 18:35:41 -03:00
Robin Ward
cd20d0fdfd SECURITY: Don't allow base_uri as embeddable host if none exist 2019-10-01 17:58:39 +02:00
Sam Saffron
fd0bb34001 SECURITY: update rack-mini-profiler to latest to correct XSS
This corrects an XSS in ?pp=help.

Also removes the jQuery dependency from rack-mini-profiler and restricts
memory sensitive profiling methods development only.
2019-10-01 16:56:51 +10:00
Penar Musaraj
6e04120e71 SECURITY: XSS when oneboxing user profile location field
The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
2019-09-17 16:36:53 -04:00
Roman Rizzi
fd1a2a4c07 FIX: Improve protection against problematic usernames (#8097) 2019-09-13 15:52:05 -03:00
Penar Musaraj
051462cbe2 FIX: IE grid layout issue on user's own activity page 2019-09-12 11:15:47 -04:00
Nick Quaranto
21c11c2bb2 Use Discourse.getURL for /clicks/track so clicks can be tracked on relative URLs (#8079) 2019-09-09 23:17:43 -07:00
Régis Hanol
39a427efce DEV: plugin API to register User custom field types 2019-09-06 12:16:59 +02:00
Roman Rizzi
24fc0aba9b FIX: :reject_user_delete action can only be handled by ReviewableUser (#8068) 2019-09-05 11:44:16 -03:00
Jeff Wong
b72dbb0be0 FEATURE: add before-topic-progress plugin outlet 2019-09-04 11:29:05 -07:00
Neil Lalonde
046b6300d1 Version bump to v2.3.3 2019-09-04 10:44:22 -04:00
Roman Rizzi
52fdc1468d Feature/Fix: Flagged posts user notifications (#8041)
* FIX: User should get notified when a post is deleted

* FEATURE: Notify posters when restoring flagged posts

* Fix typo

Co-Authored-By: Régis Hanol <regis@hanol.fr>

* Improve tests
2019-09-02 15:22:03 -03:00
David Taylor
51b7f4d900 FIX: When activating via omniauth, create tokens after password reset
Resetting a password invalidates all email tokens, so we need to create the tokens after the password reset.
2019-08-28 14:50:07 +01:00
David Taylor
3b9e8a0849 FIX: When activating a user, ensure the change is reflected immediately
When activating a user via an external provider, this would cause the "this account is not activated" message to show on the first attempt, even though the account had been activated correctly.
2019-08-28 14:09:03 +01:00
David Taylor
f80f8a34c0 SECURITY: Reset password when activating an account via auth provider
Followup to d693b4e35fe0e58c5578eae4a56c06dff4756ba2
2019-08-28 14:08:55 +01:00
Sam Saffron
a3d42e2c52 FIX: add_to_serializer not correctly accounting for inheritance chains
This is a very long standing bug we had, if a plugin attempted to amend a
serializer core was not "correcting" the situation for all descendant classes
this often only showed up in production cause production eager loads serializers
prior to plugins amending them.

This is a critical fix for various plugins
2019-08-27 18:23:32 +10:00
Sam Saffron
6477531098 SECURITY: add rate limiting to anon JS error reporting
This adds a 1 minute rate limit to all JS error reporting per IP. Previously
we would only use the global rate limit.

This also introduces DISCOURSE_ENABLE_JS_ERROR_REPORTING, if it is set to
false then no JS error reporting will be allowed on the site.
2019-08-20 11:31:58 +10:00
Arpit Jalan
aea541d037 SECURITY: don't reveal category details to users that do not have access 2019-08-19 12:51:15 +05:30
David Taylor
d237da16c5 SECURITY: Restrict message-bus access on login_required sites 2019-08-14 10:11:28 +01:00
Gerhard Schlager
ab3e18090f FIX: Disallow user self-delete when user posted in PMs
All posts created by the user are counted unless they are deleted,
belong to a PM sent between a non-human user and the user or belong
to a PM created by the user which doesn't have any other recipients.

It also makes the guardian prevent self-deletes when SSO is enabled.
2019-08-10 12:06:40 +02:00
Roman Rizzi
0be47023d4 FIX: Use unescaped title as combo-box id (#7979) 2019-08-08 12:52:34 -03:00
David Taylor
b1d2e4daf3 FIX: Composer preview on IE11 (#7970)
Add the Array.from polyfill for IE11. This is required to support the transpiled ES6 spread syntex generated by babel: https://babeljs.io/docs/en/caveats/
2019-08-05 14:44:13 +01:00
Sam Saffron
c587df7e2a Revert "FEATURE: add Noindex to robots.txt for disallowed routes"
This reverts commit d84256a876.

This is not supported by Google and causes robots.txt to be flagged as
invalid

Removing Noindex
2019-07-30 11:37:00 +10:00
David Taylor
85cdf213e1 FIX: Hide live-loaded posts from ignored users 2019-07-27 14:00:34 +01:00
David Taylor
e9c0fb0621 SECURITY: Sanitize email id for use as mutex key 2019-07-24 13:51:08 +01:00
David Taylor
c4ff66e1a5 DEV: Correct merge conflicts for 9cfe3f99 2019-07-24 13:31:16 +01:00
David Taylor
9cfe3f9948 SECURITY: Add confirmation screen when connecting associated accounts 2019-07-24 13:29:59 +01:00
Gerhard Schlager
90a1aa5536 SECURITY: Validate backup chunk identifier 2019-07-22 08:44:38 +02:00
Neil Lalonde
af192ff9d5 Version bump to v2.3.2 2019-07-15 10:00:45 -04:00
Guo Xiang Tan
3663ef6394 Fix the build.
Follow up to 4b0cf7f6dd.
2019-07-15 16:42:58 +08:00
Guo Xiang Tan
477bacb3ae SECURITY: XSS when displaying watched words in admin panel.
The XSS here is only possible if CSP is disabled. Low impact since CSP
is enabled by default in SiteSettings.
2019-07-15 10:58:52 +08:00
Robin Ward
fe8bd92f71 SECURITY: SQL injection with default categories
This is a low severity security fix because it requires a logged in
admin user to update a site setting via the API directly to an invalid
value.

The fix adds validation for the affected site settings, as well as a
secondary fix to prevent injection in the event of bad data somehow
already exists.
2019-07-11 13:53:12 -04:00
Robin Ward
2f91f88d06 SECURITY: Upgrade lodash
There is a security hole in lodash with prototype pollution. It's not
clear if Discourse is affected but to be on the safe side we will
upgrade right away.

Note that the front end Discourse does not appear to use `defaultsDeep`
in our custom build and should be protected.
2019-07-11 10:51:44 -04:00
Robin Ward
d1c12539dd SECURITY: XSS with title selector on preferences page
Note this is very low severity as the group needs to be created with a
default title that contains HTML, and group creation is restricted to
staff members right now.
2019-07-09 17:35:26 -04:00
Robin Ward
4fd470e63d SECURITY: Strip HTML from invite emails
We also strip new lines from the emails because it ruins the markdown
formatting which expects a one line message.
2019-07-05 14:58:46 -04:00