Release 3.1.2

Merge pull request #950 from repotag/fix_allow_editing
Set the allow_editing wiki option to true by default.
2015-01-23 00:27:04 +01:00 · 2015-01-23 00:26:22 +01:00 · 2015-01-23 00:14:13 +01:00 · 2015-01-23 00:00:01 +01:00 · 2015-01-13 10:18:51 +01:00 · 2015-01-12 19:04:07 -05:00
19 changed files with 43 additions and 14 deletions
@@ -1,4 +1,4 @@
 source 'https://rubygems.org'

 gemspec
-gem 'rake', '~> 10.2.2'
+gem 'rake', '~> 10.4'
@@ -1,3 +1,7 @@
+# 3.1.1 /2014-12-04
+
+* Security fix for [remote code execution issue](https://github.com/gollum/gollum/issues/913). Please update!
+
 # 3.1 / 2014-11-28

 * New features
@@ -109,6 +109,7 @@ Options:
        --base-path [PATH]           Specify the base path for the served pages (default: /) Example: --base-path wiki yields the home page accessible at http://localhost:4567/wiki/.
        --gollum-path [PATH]         Specify the path to the git repository to be served.
        --ref [REF]                  Specify the repository ref to use (default: master).
+        --bare                       Specify that the repository is bare (only necessary when using the grit adapter).
        --no-edit                    Restricts editing capability through frontend.
        --no-live-preview            Disables livepreview.
        --live-preview               Enables livepreview.
@@ -81,6 +81,10 @@ opts = OptionParser.new do |opts|
    wiki_options[:ref] = ref
  end

+  opts.on("--bare", "Specify that the repository is bare (only necessary when using the grit adapter).") do
+    wiki_options[:repo_is_bare] = true
+  end
+
  opts.on("--no-edit", "Restricts editing capability through frontend.")  do
    wiki_options[:allow_editing] = false
  end
@@ -5,8 +5,8 @@ Gem::Specification.new do |s|
  s.required_ruby_version = '>= 1.9'

  s.name              = 'gollum'
-  s.version           = '3.1.0'
-  s.date              = '2014-11-28'
+  s.version           = '3.1.2'
+  s.date              = '2015-01-23'
  s.rubyforge_project = 'gollum'
  s.license           = 'MIT'

@@ -24,7 +24,7 @@ Gem::Specification.new do |s|
  s.rdoc_options = ['--charset=UTF-8']
  s.extra_rdoc_files = %w[README.md LICENSE]

-  s.add_dependency 'gollum-lib', '~> 4.0'
+  s.add_dependency 'gollum-lib', '~> 4.0', '>= 4.0.1'
  s.add_dependency 'github-markdown', '~> 0.6.5'
  s.add_dependency 'sinatra', '~> 1.4', '>= 1.4.4'
  s.add_dependency 'mustache', ['>= 0.99.5', '< 1.0.0']
@@ -16,7 +16,7 @@ require File.expand_path('../gollum/uri_encode_component', __FILE__)
 $KCODE = 'U' if RUBY_VERSION[0, 3] == '1.8'

 module Gollum
-  VERSION = '3.1.0'
+  VERSION = '3.1.2'

  def self.assets_path
    ::File.expand_path('gollum/public', ::File.dirname(__FILE__))
@@ -22,6 +22,13 @@ Gollum::set_git_max_filesize(190 * 10**6)
 # Fix to_url
 class String
  alias :upstream_to_url :to_url
+
+  if defined?(Gollum::GIT_ADAPTER) && Gollum::GIT_ADAPTER != 'grit'
+    def to_ascii
+      self # Do not transliterate utf-8 url's unless using Grit
+    end
+  end
+  
  # _Header => header which causes errors
  def to_url
    return nil if self.nil?
@@ -95,6 +102,7 @@ module Precious
      @css = settings.wiki_options[:css]
      @js  = settings.wiki_options[:js]
      @mathjax_config = settings.wiki_options[:mathjax_config]
+      settings.wiki_options[:allow_editing] = settings.wiki_options.fetch(:allow_editing, true)
      @allow_editing = settings.wiki_options[:allow_editing]
    end

@@ -310,7 +318,7 @@ module Precious
        wiki.write_page(name, format, params[:content], commit_message, path)

        page_dir = settings.wiki_options[:page_file_dir].to_s
-        redirect to("/#{clean_url(::File.join(page_dir, path, name))}")
+        redirect to("/#{clean_url(::File.join(page_dir, path, encodeURIComponent(name)))}")
      rescue Gollum::DuplicatePageError => e
        @message = "Duplicate page: #{e.message}"
        mustache :error
@@ -372,7 +380,7 @@ module Precious
    end
    
    post '/compare/*' do
-      @file     = params[:splat].first
+      @file     = encodeURIComponent(params[:splat].first)
      @versions = params[:versions] || []
      if @versions.size < 2
        redirect to("/history/#{@file}")
@@ -443,6 +451,7 @@ module Precious
      wiki         = Gollum::Wiki.new(settings.gollum_path, wiki_options)
      @results     = wiki.pages
      @results     += wiki.files if settings.wiki_options[:show_all]
+      @results     = @results.sort_by { |p| p.name.downcase } # Sort Results alphabetically, fixes 922
      @ref         = wiki.ref
      mustache :pages
    end
@@ -7,7 +7,7 @@ module Precious
    def call(env)
      @env = env
      # Blocks all potentially editable pages. Use EditingAuth::whitelist_pages to unblock pages.
-      unless (env["REQUEST_METHOD"] == "GET") || App::settings.wiki_options[:allow_editing]
+      unless (env["REQUEST_METHOD"] == "GET") || @app.settings.wiki_options[:allow_editing]
        return block unless excluded_page?
      end
      @app.call(env)
@@ -31,4 +31,4 @@ module Precious
      return ["/compare/"]
    end
  end
-end
+end
@@ -39,7 +39,7 @@ module Precious
      url.gsub('%2F', '/').gsub(/^\/+/, '').gsub('//', '/')
    end

-    def forbid(msg = "Forbidden.")
+    def forbid(msg = "Forbidden. This wiki is set to no-edit mode.")
      @message = msg
      status 403
      halt mustache :error
@@ -8,3 +8,4 @@ cfea406f5f77afc7fb673a43e97721234385b1bd 629aa678272b017a4d136d35e77ac94d80b08dc
 629aa678272b017a4d136d35e77ac94d80b08dc2 7d6aeab8b84c895f21f6c66b84a457b0fced9693 Daniel Kimsey <dekimsey@ufl.edu> 1352501984 -0500	push
 7d6aeab8b84c895f21f6c66b84a457b0fced9693 563cc3701db990caf63e4ce9c3697a062890ca48 James Dabbs <jamesdabbs@gmail.com> 1361843315 -0500	push
 563cc3701db990caf63e4ce9c3697a062890ca48 874f597a5659b4c3b153674ea04e406ff393975e Charles Pence <charles@charlespence.net> 1363478075 -0400	push
+874f597a5659b4c3b153674ea04e406ff393975e 7bdfe65face6f7cf9877d8c1d8c1dd974a63745e Nathan Lowe <techwiz96@gmail.com> 1421012322 -0500	push
@@ -8,3 +8,4 @@ cfea406f5f77afc7fb673a43e97721234385b1bd 629aa678272b017a4d136d35e77ac94d80b08dc
 629aa678272b017a4d136d35e77ac94d80b08dc2 7d6aeab8b84c895f21f6c66b84a457b0fced9693 Daniel Kimsey <dekimsey@ufl.edu> 1352501984 -0500	push
 7d6aeab8b84c895f21f6c66b84a457b0fced9693 563cc3701db990caf63e4ce9c3697a062890ca48 James Dabbs <jamesdabbs@gmail.com> 1361843315 -0500	push
 563cc3701db990caf63e4ce9c3697a062890ca48 874f597a5659b4c3b153674ea04e406ff393975e Charles Pence <charles@charlespence.net> 1363478075 -0400	push
+874f597a5659b4c3b153674ea04e406ff393975e 7bdfe65face6f7cf9877d8c1d8c1dd974a63745e Nathan Lowe <techwiz96@gmail.com> 1421012322 -0500	push
@@ -0,0 +1,3 @@
+x
йA
+─ пж²Б╥
+\HкN ╢/═f(┴мxЪzК*╛к═■И
фG≥■┌%о┌ё▀PCaHNЮ╘²┬ы?▓^п┘][mА╗ч%╣≥АЧ╣QEТЬзvh
@@ -1 +1 @@
-874f597a5659b4c3b153674ea04e406ff393975e
+7bdfe65face6f7cf9877d8c1d8c1dd974a63745e
@@ -17,6 +17,10 @@ dir = File.dirname(File.expand_path(__FILE__))
 $LOAD_PATH.unshift(File.join(dir, '..', 'lib'))
 $LOAD_PATH.unshift(dir)

+module Gollum
+end
+Gollum::GIT_ADAPTER = ENV['GIT_ADAPTER'] if ENV['GIT_ADAPTER']
+
 ENV['RACK_ENV'] = 'test'
 require 'gollum'
 require 'gollum/app'
@@ -78,7 +78,7 @@ context "Frontend" do

    get page

-    expected = "<h2><a class=\"anchor\" id=\"_#{text}\" href=\"#_#{text}\"><i class=\"fa fa-link\"></i></a>#{text}</h2>"
+    expected = "<h2><a class=\"anchor\" id=\"#{text}\" href=\"##{text}\"><i class=\"fa fa-link\"></i></a>#{text}</h2>"
    actual   = nfd(last_response.body)

    assert_match /#{expected}/, actual
@@ -619,6 +619,7 @@ context "Frontend with lotr" do
    assert !body.include?("Boromir"), "/pages should NOT include the page 'Boromir'"
    assert body.include?("Mordor"), "/pages should include the folder 'Mordor'"
    assert !body.include?("Eye Of Sauron"), "/pages should NOT include the page 'Eye Of Sauron'"
+    assert !body.match(/(Zamin).+(roast\-mutton)/m), "/pages should be sorted alphabetically"
  end

  test "/pages/Mordor/" do
@@ -19,9 +19,10 @@ context "Precious::Views::LatestChanges" do
  test "displays_latest_changes" do
    get('/latest_changes')
    body = last_response.body
+
    assert body.include?('<span class="username">Charles Pence</span>'), "/latest_changes should include the Author Charles Pence"
-    assert body.include?('60f12f4'), "/latest_changes should include the :latest_changes_count commit"
-    assert !body.include?('0ed8cbe'), "/latest_changes should not include more than latest_changes_count commits"
+    assert body.include?('a8ad3c0'), "/latest_changes should include the :latest_changes_count commit"
+    assert !body.include?('60f12f4'), "/latest_changes should not include more than latest_changes_count commits"
    assert body.include?('<a href="Data-Two.csv/874f597a5659b4c3b153674ea04e406ff393975e">Data-Two.csv</a>'), "/latest_changes include links to modified files in #{body}"
    assert body.include?('<a href="Hobbit/874f597a5659b4c3b153674ea04e406ff393975e">Hobbit.md</a>'), "/latest_changes should include links to modified pages in #{body}"
  end
Author	SHA1	Message	Date
Dawa Ometto	5c30ff4d3e	Release 3.1.2	2015-01-23 00:27:04 +01:00
Dawa Ometto	3269f02ba7	Merge pull request #950 from repotag/fix_allow_editing Set the allow_editing wiki option to true by default.	2015-01-23 00:26:22 +01:00
Dawa Ometto	e5c2e3b3eb	Set the allow_editing wiki option to true by default.	2015-01-23 00:14:13 +01:00
Dawa Ometto	77f4aee0af	Fix test related to gollum-lib TOC update	2015-01-23 00:00:01 +01:00
Dawa Ometto	868cbdfc7b	Merge pull request #936 from techwiz24/iss922-sort-pages Sort `/pages` alphabetically. Resolves #922.	2015-01-13 10:18:51 +01:00
Nathan Lowe	a650c0eab8	Sort `/pages` alphabetically Previously, the 'All Pages' view was not sorted alphabetically. We need to sort on the lowercase version of the page names so that lowercase names do not end up at the bottom of the list and are instead mixed in alphabetically, as they should be. Patches test/test_latest_changes_view.rb to include changes needed to test alphabetical sorting.	2015-01-12 19:04:07 -05:00
Dawa Ometto	a7dc8d8c6f	Merge pull request #929 from repotag/830_pagename_encodings Allow utf-8 page names when not using grit. Resolves #830 (when using rugged adapter).	2015-01-04 13:07:27 +01:00
Dawa Ometto	355db16d2c	Allow utf-8 page names when not using grit.	2015-01-04 12:20:25 +01:00
Dawa Ometto	c54ce41eb7	Merge pull request #928 from LEW21/compare-escape-redirect Encode the page title in the URL of a diff page	2015-01-03 19:58:56 +01:00
Janusz Lewandowski	afb7d4c9d1	Encode the page title in the URL of a diff page.	2015-01-03 17:56:51 +01:00
Dawa Ometto	b55cdde9da	Merge pull request #924 from rtrvrtg/patch-1 Fix wiki_options errors for hosted Gollum instances.	2014-12-29 12:31:39 +01:00
Geoffrey Roberts	93cbc6c770	Fix intermittent wiki_options errors Changed to resolve intermittent errors where I'd see the following in my logs: ```text ERROR -- : app error: undefined method `wiki_options' for Precious::App:Class (NoMethodError) ERROR -- : /home/gollum/production/releases/20141229-172128/vendor/bundle/ruby/2.0.0/gems/gollum-3.1.1.1anchor4/lib/gollum/editing_auth.rb:10:in `call' ERROR -- : /home/gollum/production/releases/20141229-172128/vendor/bundle/ruby/2.0.0/gems/rack-protection-1.5.3/lib/rack/protection/xss_header.rb:18:in `call' ... ``` I suspect this is the case for Sinatra applications that host instances of Gollum using its `map` feature, as this reflects the production setup we're using it in. Calling @app.settings.wiki_options uses the app instance that gets passed into Precious::EditingAuth, thereby ensuring that we're getting a Gollum instance all the time.	2014-12-29 17:28:47 +11:00
Dawa Ometto	3b1b4a0a96	Update README.md	2014-12-22 20:28:50 +01:00
Dawa Ometto	10b45cb54d	Add --bare command line option (see #811 ).	2014-12-22 20:20:57 +01:00
Dawa Ometto	9d289e571b	Describe important security update.	2014-12-18 16:44:23 +01:00
Dawa Ometto	cce871c30e	Allow running tests with alternative adapter	2014-12-08 01:44:01 +01:00
Dawa Ometto	c2b605a90f	Release 3.1.1	2014-12-04 14:06:57 +01:00
Dawa Ometto	09149592b5	Set allow_editing in Precious::App to true by default. Closes #911	2014-12-04 13:53:58 +01:00
Dawa Ometto	e7410e551b	Bring rake dependency up to date.	2014-11-28 14:13:40 +01:00