Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Dawa Ometto
|
bfbfb21c17 | ||
|
Dawa Ometto
|
137728cdab | ||
 Dawa Ometto
|
3f7fd21d4a | ||
|
Dawa Ometto
|
2204cef0ef | ||
|
Dawa Ometto
|
29ad7127d1 | ||
|
Dawa Ometto
|
123518b940 | ||
|
Dawa Ometto
|
dbe849707a |
+1
-1
@@ -21,7 +21,7 @@ Before submitting an issue, **please carefully look through the following places
|
||||
|
||||
Security vulnerabilities can be reported directly to the maintainers using these GPG keys:
|
||||
|
||||
* [@dometto](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD637E455CD3E27BF)
|
||||
* [@dometto](https://keys.openpgp.org/vks/v1/by-fingerprint/02354CC9F820B52CC2791979BB8CCC95FD83B795)
|
||||
|
||||
Lastly, please **consider helping out** by opening a Pull Request!
|
||||
|
||||
|
||||
@@ -4,8 +4,9 @@ gollum -- A git-based Wiki
|
||||
[](http://badge.fury.io/rb/gollum)
|
||||
[](https://travis-ci.org/gollum/gollum)
|
||||
[](https://www.codetriage.com/gollum/gollum)
|
||||
[](https://dometto-cuttingedge.herokuapp.com/github/gollum/gollum/info)
|
||||
|
||||
**Please update to gollum 5.1.1 to counter a recent exploit in the kramdown rendering gem, [CVE-2020-14001](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001)**
|
||||
**Please update to gollum 5.1.2 to counter a recent exploit. More info will follow after CVE is assigned.**
|
||||
|
||||
**Gollum version 5.0 is out!** See [here](https://github.com/gollum/gollum/wiki/5.0-release-notes) for a list of changes and new features compared to Gollum version 4.x, and see some [Screenshots](https://github.com/gollum/gollum/wiki/Screenshots) of Gollum's features.
|
||||
|
||||
|
||||
+3
-3
@@ -5,8 +5,8 @@ Gem::Specification.new do |s|
|
||||
s.required_ruby_version = '>= 1.9'
|
||||
|
||||
s.name = 'gollum'
|
||||
s.version = '5.1.1'
|
||||
s.date = '2020-08-11'
|
||||
s.version = '5.1.2'
|
||||
s.date = '2020-12-01'
|
||||
s.license = 'MIT'
|
||||
|
||||
s.summary = 'A simple, Git-powered wiki.'
|
||||
@@ -25,7 +25,7 @@ Gem::Specification.new do |s|
|
||||
|
||||
s.add_dependency 'gollum-lib', '~> 5.0'
|
||||
s.add_dependency 'kramdown', '~> 2.3'
|
||||
s.add_dependency 'kramdown-parser-gfm', '~> 1.0.0'
|
||||
s.add_dependency 'kramdown-parser-gfm', '~> 1.1.0'
|
||||
s.add_dependency 'sinatra', '~> 2.0'
|
||||
s.add_dependency 'sinatra-contrib', '~> 2.0'
|
||||
s.add_dependency 'mustache', ['>= 0.99.5', '< 1.0.0']
|
||||
|
||||
+1
-1
@@ -12,7 +12,7 @@ require 'rhino' if RUBY_PLATFORM == 'java'
|
||||
require File.expand_path('../gollum/uri_encode_component', __FILE__)
|
||||
|
||||
module Gollum
|
||||
VERSION = '5.1.1'
|
||||
VERSION = '5.1.2'
|
||||
|
||||
def self.assets_path
|
||||
::File.expand_path('gollum/public', ::File.dirname(__FILE__))
|
||||
|
||||
+2
-3
@@ -318,9 +318,8 @@ module Precious
|
||||
post '/edit/*' do
|
||||
etag = params[:etag]
|
||||
path = "/#{clean_url(sanitize_empty_params(params[:path]))}"
|
||||
page_name = CGI.unescape(params[:page])
|
||||
wiki = wiki_new
|
||||
page = wiki.page(::File.join(path, page_name))
|
||||
page = wiki.page(::File.join(path, params[:page]))
|
||||
|
||||
return if page.nil?
|
||||
if etag != page.sha
|
||||
@@ -417,7 +416,7 @@ module Precious
|
||||
|
||||
post '/preview' do
|
||||
wiki = wiki_new
|
||||
@name = params[:page] ? strip_page_name(CGI.unescape(params[:page])) : 'Preview'
|
||||
@name = params[:page] ? strip_page_name(params[:page]) : 'Preview'
|
||||
@page = wiki.preview_page(@name, params[:content], params[:format])
|
||||
['sidebar', 'header', 'footer'].each do |subpage|
|
||||
@page.send("set_#{subpage}".to_sym, params[subpage]) if params[subpage]
|
||||
|
||||
@@ -25,9 +25,9 @@ module Precious
|
||||
title = crumb.basename
|
||||
|
||||
if title == path.basename
|
||||
breadcrumb << %{<li class="breadcrumb-item" aria-current="page">#{title}</li>}
|
||||
breadcrumb << %{<li class="breadcrumb-item" aria-current="page">#{CGI.escape(title.to_s)}</li>}
|
||||
else
|
||||
breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{title}</a></li>}
|
||||
breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{CGI.escape(title.to_s)}</a></li>}
|
||||
end
|
||||
end
|
||||
breadcrumb << %{</ol></nav>}
|
||||
|
||||
@@ -32,7 +32,7 @@ module Precious
|
||||
path.descend do |crumb|
|
||||
element = "#{crumb.basename}"
|
||||
next if element == @page.title
|
||||
breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{element}</a></li>}
|
||||
breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{CGI.escape(element.to_s)}</a></li>}
|
||||
end
|
||||
breadcrumb << %{</ol></nav>}
|
||||
breadcrumb.join("\n")
|
||||
|
||||
+1
-1
@@ -474,7 +474,7 @@ EOF
|
||||
end
|
||||
|
||||
test "previews content" do
|
||||
post "/gollum/preview", :content => 'abc', :format => 'markdown', :page => 'Samewise%20Gamgee.mediawiki'
|
||||
post "/gollum/preview", :content => 'abc', :format => 'markdown', :page => 'Samewise Gamgee.mediawiki'
|
||||
assert last_response.ok?
|
||||
assert last_response.body.include?('Samewise Gamgee</h1>')
|
||||
end
|
||||
|
||||
@@ -43,6 +43,13 @@ context "Precious::Views::Overview" do
|
||||
@page.instance_variable_set("@base_url", "")
|
||||
assert_equal "<nav aria-label=\"Breadcrumb\"><ol><li class=\"breadcrumb-item\"><a href=\"/gollum/overview\">Home</a></li>\n<li class=\"breadcrumb-item\"><a href=\"/gollum/overview/Mordor/\">Mordor</a></li>\n<li class=\"breadcrumb-item\"><a href=\"/gollum/overview/Mordor/Eye-Of-Sauron/\">Eye-Of-Sauron</a></li>\n<li class=\"breadcrumb-item\" aria-current=\"page\">Saruman</li>\n</ol></nav>", @page.breadcrumb
|
||||
end
|
||||
|
||||
test 'guard against malicious filenames' do
|
||||
malicious_title = '<img src=x onerror=alert(1) />'
|
||||
@page.instance_variable_set("@path", malicious_title)
|
||||
@page.instance_variable_set("@base_url", "")
|
||||
assert @page.breadcrumb.include?(">%3Cimg+src%3Dx+onerror%3Dalert%281%29+</a>")
|
||||
end
|
||||
|
||||
test "breadcrumb with no path" do
|
||||
assert_equal 'Home', @page.breadcrumb
|
||||
|
||||
@@ -12,6 +12,17 @@ context "Precious::Views::Page" do
|
||||
teardown do
|
||||
FileUtils.rm_rf(@path)
|
||||
end
|
||||
|
||||
test 'guard against malicious filenames' do
|
||||
malicious_title = '<img src=x onerror=alert(1) />'
|
||||
@wiki.write_page(malicious_title, :markdown, 'Is Bilbo a hobbit? Why certainly!')
|
||||
page = @wiki.page(malicious_title)
|
||||
@view = Precious::Views::Page.new
|
||||
@view.instance_variable_set :@page, page
|
||||
@view.instance_variable_set :@content, page.formatted_data
|
||||
@view.instance_variable_set :@h1_title, false
|
||||
assert @view.breadcrumb.include?(">%3Cimg+src%3Dx+onerror%3Dalert%281%29+</a>")
|
||||
end
|
||||
|
||||
test "h1 title sanitizes correctly" do
|
||||
title = 'H1'
|
||||
|
||||
Reference in New Issue
Block a user