Release 4.1.4

Update supported rubies.

.gitattributes

@@ -30,3 +30,11 @@ gollum text
 # Denote all files that are truly binary and should not be modified.
 *.png binary
 *.jpg binary
+
+# Make github-linguist ignore files that aren't our own
+
+lib/gollum/public/gollum/* linguist-vendored
+lib/gollum/public/gollum/javascript/gollum* linguist-vendored=false
+lib/gollum/public/gollum/javascript/*/gollum* linguist-vendored=false
+lib/gollum/public/gollum/css linguist-vendored=false
+

CONTRIBUTING.md

@@ -19,8 +19,17 @@ Before submitting an issue, **please carefully look through the following places
 1. The [README](https://github.com/gollum/gollum/blob/master/README.md).
 1. The project's [wiki](https://github.com/gollum/gollum/wiki).
 
+Security vulnerabilities can be reported directly to the maintainers using these GPG keys:
+
+* [@dometto](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD637E455CD3E27BF)
+
 Lastly, please **consider helping out** by opening a Pull Request!
 
+## Triaging Issues [![Open Source Helpers](https://www.codetriage.com/gollum/gollum/badges/users.svg)](https://www.codetriage.com/gollum/gollum)
+
+You can triage issues which may include reproducing bug reports or asking for vital information, such as version numbers or reproduction instructions. If you would like to start triaging issues, one easy way to get started is to [subscribe to gollum on CodeTriage](https://www.codetriage.com/gollum/gollum).
+
+
 ## Opening a Pull Request
 
 Pull Requests fixing bugs, implementing new features, or updating documentation and dependencies are all very welcome! If you would like to help out with the project, you can pick an open issue from the issue tracker. We're more than happy to help you get started! Here's how you can proceed:

HISTORY.md

@@ -1,3 +1,11 @@
+# 4.1.4 /2018-01-10
+
+* Depend on new version of gollum-lib that relies on a patched version of sanitize, which solves a vulnerability (CVE-2018-3740). See https://github.com/gollum/gollum-lib/pull/296.
+
+# 4.1.3 /2018-17-09
+
+* Solves a vulnerability in the File view and All Pages view that would allow XSS.
+
 # 4.1.2 /2017-08-07
 
 * Lock to a newer version of gollum-lib to avoid installing an outdated and vulnerable dependency (nokogiri) on ruby 2.0. See https://github.com/gollum/gollum-lib/pull/279. Note: this breaks semantic versioning so those using outdated rubies will discover the problem on update.

ISSUE_TEMPLATE.md

@@ -0,0 +1,7 @@
+**Note**: we are currently working on version 5.0 of gollum in an attempt to make it, better, faster, and easier to maintain. We will **not** be fixing issues with previous versions of gollum (4.x), except for security issues.
+
+Please submit only issues that are present in the `5.x` branch of this project. When submitting issues with `5.x`, please include the output of `gollum --versions` in your ticket. 
+
+Please read [these guidelines](https://github.com/gollum/gollum/blob/master/CONTRIBUTING.md) before submitting your issue, and for info on reporting vulnerabilities.
+
+Finally: we need your help! Please consider chipping in by submitting a PR rather than just by reporting your issue.

README.md

@@ -3,7 +3,7 @@ gollum -- A git-based Wiki
 
 [![Gem Version](https://badge.fury.io/rb/gollum.svg)](http://badge.fury.io/rb/gollum)
 [![Build Status](https://travis-ci.org/gollum/gollum.svg?branch=master)](https://travis-ci.org/gollum/gollum)
-[![Dependency Status](https://gemnasium.com/gollum/gollum.svg)](https://gemnasium.com/gollum/gollum)
+[![Open Source Helpers](https://www.codetriage.com/gollum/gollum/badges/users.svg)](https://www.codetriage.com/gollum/gollum)
 
 ## DESCRIPTION
 
@@ -33,9 +33,9 @@ For more information on Gollum's capabilities and pitfalls:
 
 | Operating System | Ruby           | Adapters           | Supported |
 | ---------------- | -------------- | ------------------ | --------- |
-| Unix/Linux-like  | Ruby 1.9.3+    | all except [RJGit](https://github.com/repotag/rjgit) | yes |
+| Unix/Linux-like  | Ruby (MRI) 2.1.0+   | all except [RJGit](https://github.com/repotag/rjgit) | yes |
 | Unix/Linux-like  | [JRuby](https://github.com/jruby/jruby) (1.9.3+ compatible) | [RJGit](https://github.com/repotag/rjgit) | yes |
-| Windows          | Ruby 1.9.3+    | all except [RJGit](https://github.com/repotag/rjgit) | no  |
+| Windows          | Ruby (MRI) 2.1.0+  | all except [RJGit](https://github.com/repotag/rjgit) | no  |
 | Windows          | [JRuby](https://github.com/jruby/jruby) (1.9.3+ compatible) | [RJGit](https://github.com/repotag/rjgit) | almost<sup>1</sup> |
 
 **Notes:**

gollum.gemspec

@@ -5,8 +5,8 @@ Gem::Specification.new do |s|
   s.required_ruby_version = '>= 1.9'
 
   s.name              = 'gollum'
-  s.version           = '4.1.2'
-  s.date              = '2017-08-07'
+  s.version           = '4.1.4'
+  s.date              = '2018-10-01'
   s.rubyforge_project = 'gollum'
   s.license           = 'MIT'
 
@@ -24,7 +24,7 @@ Gem::Specification.new do |s|
   s.rdoc_options = ['--charset=UTF-8']
   s.extra_rdoc_files = %w[README.md LICENSE]
 
-  s.add_dependency 'gollum-lib', '>= 4.2.7'
+  s.add_dependency 'gollum-lib', '~> 4.2', '>= 4.2.10'
   s.add_dependency 'kramdown', '~> 1.9.0'
   s.add_dependency 'sinatra', '~> 1.4', '>= 1.4.4'
   s.add_dependency 'mustache', ['>= 0.99.5', '< 1.0.0']
@@ -44,6 +44,7 @@ Gem::Specification.new do |s|
     CONTRIBUTING.md
     Gemfile
     HISTORY.md
+    ISSUE_TEMPLATE.md
     LICENSE
     README.md
     Rakefile

lib/gollum.rb

@@ -16,7 +16,7 @@ require File.expand_path('../gollum/uri_encode_component', __FILE__)
 $KCODE = 'U' if RUBY_VERSION[0, 3] == '1.8'
 
 module Gollum
-  VERSION = '4.1.2'
+  VERSION = '4.1.4'
 
   def self.assets_path
     ::File.expand_path('gollum/public', ::File.dirname(__FILE__))

lib/gollum/app.rb

@@ -490,11 +490,11 @@ module Precious
     }x do |path|
       @path        = extract_path(path) if path
       wiki_options = settings.wiki_options.merge({ :page_file_dir => @path })
-      wiki         = Gollum::Wiki.new(settings.gollum_path, wiki_options)
-      @results     = wiki.pages
-      @results     += wiki.files if settings.wiki_options[:show_all]
+      @wiki         = Gollum::Wiki.new(settings.gollum_path, wiki_options)
+      @results     = @wiki.pages
+      @results     += @wiki.files if settings.wiki_options[:show_all]
       @results     = @results.sort_by { |p| p.name.downcase } # Sort Results alphabetically, fixes 922
-      @ref         = wiki.ref
+      @ref         = @wiki.ref
       mustache :pages
     end
 

lib/gollum/views/pages.rb

@@ -23,7 +23,7 @@ module Precious
             end
           end
 
-          breadcrumb.join(" / ")
+          @wiki.sanitizer.clean(breadcrumb.join(" / "))
         else
           "Home"
         end
@@ -60,7 +60,7 @@ module Precious
           result = Hash[folders.sort_by{| key, value | key.downcase} ].values.join("\n") + "\n"
           result += Hash[page_files.sort_by{ | key, value | key.downcase } ].values.join("\n")
 
-          result
+          @wiki.sanitizer.clean(result)
         else
           ""
         end

test/test_pages_view.rb

@@ -2,6 +2,18 @@
 require File.expand_path(File.join(File.dirname(__FILE__), 'helper'))
 require File.expand_path '../../lib/gollum/views/pages', __FILE__
 
+class FakeSane
+  def clean(data)
+    data
+  end
+end
+
+class FakeWiki
+  def sanitizer
+    FakeSane.new
+  end
+end
+
 FakePageResult = Struct.new(:path) do
   def name
     File.basename(path, File.extname(path)).gsub("-", " ")
@@ -27,6 +39,7 @@ end
 context "Precious::Views::Pages" do
   setup do
     @page = Precious::Views::Pages.new
+    @page.instance_variable_set("@wiki", FakeWiki.new)
   end
 
   test "breadcrumb" do