github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-21 08:14:01 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
discourse/lib
History
Robin Ward 1d38040579 SECURITY: SQL injection with default categories 
This is a low severity security fix because it requires a logged in
admin user to update a site setting via the API directly to an invalid
value.

The fix adds validation for the affected site settings, as well as a
secondary fix to prevent injection in the event of bad data somehow
already exists.
2019-07-11 13:41:51 -04:00
..
active_record/connection_adapters
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
auth
FEATURE: Trigger Discourse events from authenticators. (#7724)
2019-06-11 11:28:42 +10:00
autospec
DEV: make parallel spec optional with autospec
2019-06-21 11:00:28 +10:00
backup_restore
FIX: Remapping during restore was wrong for CDN URLs
2019-07-09 17:34:41 +02:00
common_passwords
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
content_security_policy
FEATURE: Calculate CSP based on active themes (#6976)
2019-02-11 12:32:04 +00:00
demon
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
email
DEV: Add spec for Email::Sender for upload links in plain text emails.
2019-06-11 16:02:24 +08:00
emoji
FEATURE: adds early support for new emojis (#7785)
2019-06-20 11:30:09 +02:00
es6_module_transpiler
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
file_store
FEATURE: Add hidden setting to include S3 uploads in backups
2019-07-09 14:04:16 +02:00
freedom_patches
FEATURE: SKIP_DB_AND_REDIS env var (#7756)
2019-06-13 12:58:27 +10:00
generators
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
guardian
FEATURE: opt-in guidance on topics for users without access (#7852)
2019-07-04 10:12:39 +02:00
highlight_js
DEV: already defined constant 'HIGHLIGHTJS_DIR'
2019-01-21 10:12:23 +01:00
i18n
FIX: English locale must not fall back to any other locale
2019-06-07 21:53:01 +02:00
import
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
import_export
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
javascripts
FEATURE: Add Belarusian language
2019-07-04 11:37:37 +02:00
middleware
FEATURE: enable_performance_http_headers for performance diagnostics
2019-06-05 16:08:11 +10:00
migration
DEV: prevent already defined global warning
2019-05-16 11:32:10 +02:00
onebox
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
plugin
FIX: ensures emoji helper is working with custom emojis (#7843)
2019-07-03 09:23:40 +02:00
pretty_text
FEATURE: Add base62 sha1 to cooked data attribute
2019-06-11 11:15:45 +10:00
rate_limiter
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
reviewable
FIX: ensures url to full reviewable conversation works on subfolder
2019-06-24 11:31:07 -04:00
scheduler
FEATURE: log long running jobs in the defer queue
2018-10-12 17:03:47 +11:00
search
FEATURE: when under extreme load disable search
2019-07-02 11:22:01 +10:00
seed_data
FIX: Consistently handle category param
2019-05-27 16:39:56 +08:00
sidekiq
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
site_settings
SECURITY: SQL injection with default categories
2019-07-11 13:41:51 -04:00
stylesheet
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
svg_sprite
FIX: Add Chromebook detection.
2019-05-30 16:29:51 +03:00
tasks
DEV: allows lodash to be updated with rake javascript:update (#7881)
2019-07-11 16:57:03 +02:00
theme_store
Revert "FEATURE: admin/user exports are compressed using the zip format (#7784)"
2019-07-10 11:38:51 -03:00
turbo_tests
FIX: Turbo tests exit codes
2019-07-09 08:51:23 +01:00
validators
FIX: Blocked watched words should apply to staff (#7547)
2019-05-16 15:19:41 +01:00
wizard
Update UI for wizard themes further reading step (#7669)
2019-06-03 10:47:17 -04:00
admin_confirmation.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
admin_constraint.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
admin_user_index_query.rb
DEV: stop mutating inputs as a side effect
2019-04-30 10:25:53 +10:00
age_words.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
archetype.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
auth.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
avatar_lookup.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
badge_posts_view_manager.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
badge_queries.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
base62.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
browser_detection.rb
FIX: Add Chromebook detection.
2019-05-30 16:29:51 +03:00
cache.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
canonical_url.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
category_badge.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
comment_migration.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
composer_messages_finder.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
configurable_urls.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
content_buffer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
content_security_policy.rb
FEATURE: Calculate CSP based on active themes (#6976)
2019-02-11 12:32:04 +00:00
cooked_post_processor.rb
FIX: don't disable download_remote_images_to_local if site uses S3 (#7861)
2019-07-05 13:36:03 +10:00
crawler_detection.rb
FIX: use crawler layout when saving url in Wayback Machine (#7667)
2019-06-03 12:13:32 +10:00
current_user.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
custom_renderer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
custom_setting_providers.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
db_helper.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
directory_helper.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
discourse_cookie_store.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
discourse_diff.rb
PERF: limit time spent diffing large blobs of text
2019-06-27 01:45:52 +02:00
discourse_event.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
discourse_hub.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
discourse_iife.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
discourse_ip_info.rb
FIX: exception which was meant to be ignored and logged was failing
2019-05-28 11:45:12 +10:00
discourse_logstash_logger.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
discourse_plugin_registry.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
discourse_plugin.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
discourse_redis.rb
FIX: Don't use DistributedCache to store redis readonly state
2019-06-25 11:20:34 +08:00
discourse_tagging.rb
FIX: Fail if none of our tags could be updated
2019-07-05 11:40:18 -04:00
discourse_updates.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
discourse.rb
FIX: Don't use DistributedCache to store redis readonly state
2019-06-25 11:20:34 +08:00
disk_space.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
distributed_cache.rb
REFACTOR: distributed_cache is moved to the message_bus gem
2018-10-15 15:01:45 -04:00
distributed_memoizer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
distributed_mutex.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
edit_rate_limiter.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
email_backup_token.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
email_cook.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
email_updater.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
email.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
encodings.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
enum_site_setting.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
enum.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
excerpt_parser.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
feed_element_installer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
feed_item_accessor.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
file_helper.rb
FIX: ensure we can download maxmind without redis or db config
2019-05-28 10:28:57 +10:00
filter_best_posts.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
final_destination.rb
FIX: ensure we can download maxmind without redis or db config
2019-05-28 10:28:57 +10:00
flag_query.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
flag_settings.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
gaps.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
global_path.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
guardian.rb
FEATURE: Add new group visibility option for "logged on users" (#7814)
2019-07-08 15:09:50 -04:00
has_errors.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
headless-ember.js
hijack.rb
Take 2 of 0f5161af195a06692af25355e985ee9f6c90e173.
2019-04-29 16:41:35 +08:00
homepage_constraint.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
html_prettify.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
html_to_markdown.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
image_sizer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
inline_oneboxer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
introduction_updater.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
ip_addr.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
js_locale_helper.rb
FIX: Fallback locale was not available for extra translations
2019-05-24 11:38:26 +02:00
json_error.rb
FIX: Fix build.
2019-05-22 17:39:44 +03:00
letter_avatar.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
markdown_linker.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
mem_info.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
message_bus_diags.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
method_profiler.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
mini_sql_multisite_connection.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
mobile_detection.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
new_post_manager.rb
FEATURE: Show "in reply to" on the review queue
2019-06-05 12:34:41 -04:00
new_post_result.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
notification_levels.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
oneboxer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
onpdiff.rb
PERF: limit time spent diffing large blobs of text
2019-06-27 01:45:52 +02:00
pbkdf2.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
permalink_constraint.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
pinned_check.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
plain_text_to_markdown.rb
FIX: use URI.regexp to find URLs in plain text
2019-06-07 01:26:06 +02:00
plugin_gem.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
post_action_creator.rb
Migrate score settings to use sensitivities
2019-05-24 15:44:24 -04:00
post_action_destroyer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
post_action_result.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
post_creator.rb
FIX: Prevent deadlock (#7691)
2019-06-05 11:29:27 +10:00
post_destroyer.rb
FIX: If a user deletes a hidden post, it should not lose history
2019-06-20 12:38:16 -04:00
post_jobs_enqueuer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
post_locker.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
post_merger.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
post_revisor.rb
REFACTOR: use Ruby's sum
2019-06-27 01:54:40 +02:00
pretty_text.rb
FEATURE: Allow Markdown in post notices. (#7864)
2019-07-09 14:42:02 +03:00
primary_group_lookup.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
promotion.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
quote_comparer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
rate_limiter.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
read_only_header.rb
DEV: rename ReadOnly module to ReadOnlyHeader
2019-05-06 16:07:49 +02:00
remap.rb
DEV: Less verbose remapping
2019-07-09 14:04:16 +02:00
retrieve_title.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
route_format.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
rtl.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
s3_helper.rb
FEATURE: Support private attachments when using S3 storage (#7677)
2019-06-06 13:27:24 +10:00
s3_inventory.rb
PERF: use url instead of file key in temporary inventory table.
2019-06-13 22:03:58 +05:30
score_calculator.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
screening_model.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
search.rb
FIX: Turn off search logging when read-only (#7877)
2019-07-10 17:05:31 -07:00
secure_session.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
single_sign_on_provider.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
single_sign_on.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
site_icon_manager.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
site_setting_extension.rb
FIX: Remapping URLs didn't affect upload site settings
2019-06-04 18:37:10 +02:00
slug.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
socket_server.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
source_url.rb
Correct some missing spots for frozen_string_literal
2019-05-13 09:31:32 +08:00
spam_handler.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
sql_builder.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
staff_constraint.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
staff_message_format.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
suggested_topics_builder.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
system_message.rb
FIX: create system message in user selected locale
2019-05-29 21:43:43 +05:30
text_cleaner.rb
FEATURE: English locale with international date formats
2019-05-20 13:47:20 +02:00
text_sentinel.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
theme_javascript_compiler.rb
FEATURE: Multi-file javascript support for themes (#7526)
2019-06-03 10:41:00 +01:00
theme_settings_manager.rb
FEATURE: Load theme setting descriptions from theme locale files
2019-05-31 14:49:59 +01:00
theme_settings_parser.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
theme_translation_manager.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
theme_translation_parser.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
timeline_lookup.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
topic_creator.rb
FIX: Consistently handle category param
2019-05-27 16:39:56 +08:00
topic_list_responder.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
topic_publisher.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
topic_query_sql.rb
DEV: Rails 5.2 upgrade and global gem upgrade
2018-06-07 14:21:33 +10:00
topic_query.rb
PERF: speed up topic poster lookups
2019-06-05 18:28:36 +10:00
topic_retriever.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
topic_subtype.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
topic_view.rb
PERF: fix N+A+lot query
2019-06-08 12:30:21 +10:00
topics_bulk_action.rb
FIX: mark topics in sub categories as unread when dismissing parent
2019-06-27 13:26:48 +10:00
trust_level.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
turbo_tests.rb
DEV: Check for pending migrations before starting the turbo tests
2019-06-27 16:41:19 +01:00
twitter_api.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
unread.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
upload_creator.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
upload_fixer.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
upload_recovery.rb
DEV: improve uploads:recover job so it stores a map of old to new sha
2019-05-22 15:51:09 +10:00
url_helper.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00
user_name_suggester.rb
FIX: username suggester incorrectly skipping over whitelisted username
2019-05-28 16:48:46 +10:00
version.rb
Version bump to v2.4.0.beta1
2019-06-17 20:49:28 -04:00
wizard.rb
DEV: enable frozen string literal on all files
2019-05-13 09:31:32 +08:00