Normalize the page contents used to create a PreviewPage. Fixes #1617.

CONTRIBUTING.md

@@ -21,7 +21,7 @@ Before submitting an issue, **please carefully look through the following places
 
 Security vulnerabilities can be reported directly to the maintainers using these GPG keys:
 
-* [@dometto](https://keys.openpgp.org/vks/v1/by-fingerprint/02354CC9F820B52CC2791979BB8CCC95FD83B795)
+* [@dometto](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD637E455CD3E27BF)
 
 Lastly, please **consider helping out** by opening a Pull Request!
 

README.md

@@ -4,9 +4,8 @@ gollum -- A git-based Wiki
 [![Gem Version](https://badge.fury.io/rb/gollum.svg)](http://badge.fury.io/rb/gollum)
 [![Build Status](https://travis-ci.org/gollum/gollum.svg?branch=master)](https://travis-ci.org/gollum/gollum)
 [![Open Source Helpers](https://www.codetriage.com/gollum/gollum/badges/users.svg)](https://www.codetriage.com/gollum/gollum)
-[![Cutting Edge Dependency Status](https://dometto-cuttingedge.herokuapp.com/github/gollum/gollum/svg 'Cutting Edge Dependency Status')](https://dometto-cuttingedge.herokuapp.com/github/gollum/gollum/info)
 
-**Please update to gollum 5.1.2 to counter a recent exploit. More info will follow after CVE is assigned.**
+**Please update to gollum 5.1.1 to counter a recent exploit in the kramdown rendering gem, [CVE-2020-14001](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001)**
 
 **Gollum version 5.0 is out!** See [here](https://github.com/gollum/gollum/wiki/5.0-release-notes) for a list of changes and new features compared to Gollum version 4.x, and see some [Screenshots](https://github.com/gollum/gollum/wiki/Screenshots) of Gollum's features.
 

gollum.gemspec

@@ -5,8 +5,8 @@ Gem::Specification.new do |s|
   s.required_ruby_version = '>= 1.9'
 
   s.name              = 'gollum'
-  s.version           = '5.1.2'
-  s.date              = '2020-12-01'
+  s.version           = '5.1.1'
+  s.date              = '2020-08-11'
   s.license           = 'MIT'
 
   s.summary     = 'A simple, Git-powered wiki.'
@@ -25,7 +25,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency 'gollum-lib', '~> 5.0'
   s.add_dependency 'kramdown', '~> 2.3'
-  s.add_dependency 'kramdown-parser-gfm', '~> 1.1.0'
+  s.add_dependency 'kramdown-parser-gfm', '~> 1.0.0'
   s.add_dependency 'sinatra', '~> 2.0'
   s.add_dependency 'sinatra-contrib', '~> 2.0'
   s.add_dependency 'mustache', ['>= 0.99.5', '< 1.0.0']

lib/gollum.rb

@@ -12,7 +12,7 @@ require 'rhino' if RUBY_PLATFORM == 'java'
 require File.expand_path('../gollum/uri_encode_component', __FILE__)
 
 module Gollum
-  VERSION = '5.1.2'
+  VERSION = '5.1.1'
 
   def self.assets_path
     ::File.expand_path('gollum/public', ::File.dirname(__FILE__))

lib/gollum/app.rb

@@ -318,8 +318,9 @@ module Precious
       post '/edit/*' do
         etag      = params[:etag]        
         path      = "/#{clean_url(sanitize_empty_params(params[:path]))}"
+        page_name = CGI.unescape(params[:page])
         wiki      = wiki_new
-        page      = wiki.page(::File.join(path, params[:page]))
+        page      = wiki.page(::File.join(path, page_name))
 
         return if page.nil?
         if etag != page.sha
@@ -354,6 +355,9 @@ module Precious
         if settings.wiki_options[:template_page] then
           temppage = wiki_page('/_Template')
           @template_page = (temppage.page != nil) ? temppage.page.raw_data : 'Template page option is set, but no /_Template page is present or committed.'
+          if defined?(Gollum::TemplateFilter)
+            @template_page = Gollum::TemplateFilter.filter(@template_page)
+          end
         end
         wikip = wiki_page(params[:splat].first)
         @name = wikip.name
@@ -416,8 +420,8 @@ module Precious
 
       post '/preview' do
         wiki           = wiki_new
-        @name          = params[:page] ? strip_page_name(params[:page]) : 'Preview'
-        @page          = wiki.preview_page(@name, params[:content], params[:format])
+        @name          = params[:page] ? strip_page_name(CGI.unescape(params[:page])) : 'Preview'
+        @page          = wiki.preview_page(@name, wiki.normalize(params[:content]), params[:format])
         ['sidebar', 'header', 'footer'].each do |subpage|
           @page.send("set_#{subpage}".to_sym, params[subpage]) if params[subpage]
         end

lib/gollum/public/gollum/javascript/gollum.js.erb

@@ -345,7 +345,8 @@ $(document).ready(function() {
     var formData = new FormData($('#gollum-editor-form').get(0));
     var paths = window.location.pathname.split('/');
     var sectionAnchor = window.location.hash.substr(1);
-    formData.append('page', paths[ paths.length - 1 ] || '')
+    formData.append('page', paths[ paths.length - 1 ] || '');
+
     $.ajax({
       url: routePath('preview'),
       data: formData,

lib/gollum/views/overview.rb

@@ -25,9 +25,9 @@ module Precious
             title = crumb.basename
 
             if title == path.basename
-              breadcrumb << %{<li class="breadcrumb-item" aria-current="page">#{CGI.escape(title.to_s)}</li>}
+              breadcrumb << %{<li class="breadcrumb-item" aria-current="page">#{title}</li>}
             else
-              breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{CGI.escape(title.to_s)}</a></li>}
+              breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{title}</a></li>}
             end
           end
           breadcrumb << %{</ol></nav>}

lib/gollum/views/page.rb

@@ -32,7 +32,7 @@ module Precious
         path.descend do |crumb|
           element = "#{crumb.basename}"
           next if element == @page.title
-          breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{CGI.escape(element.to_s)}</a></li>}
+          breadcrumb << %{<li class="breadcrumb-item"><a href="#{overview_path}/#{crumb}/">#{element}</a></li>}
         end
         breadcrumb << %{</ol></nav>}
         breadcrumb.join("\n")

test/test_app.rb

@@ -474,7 +474,7 @@ EOF
   end
 
   test "previews content" do
-    post "/gollum/preview", :content => 'abc', :format => 'markdown', :page => 'Samewise Gamgee.mediawiki'
+    post "/gollum/preview", :content => 'abc', :format => 'markdown', :page => 'Samewise%20Gamgee.mediawiki'
     assert last_response.ok?
     assert last_response.body.include?('Samewise Gamgee</h1>')
   end

test/test_overview_view.rb

@@ -43,13 +43,6 @@ context "Precious::Views::Overview" do
     @page.instance_variable_set("@base_url", "")
     assert_equal "<nav aria-label=\"Breadcrumb\"><ol><li class=\"breadcrumb-item\"><a href=\"/gollum/overview\">Home</a></li>\n<li class=\"breadcrumb-item\"><a href=\"/gollum/overview/Mordor/\">Mordor</a></li>\n<li class=\"breadcrumb-item\"><a href=\"/gollum/overview/Mordor/Eye-Of-Sauron/\">Eye-Of-Sauron</a></li>\n<li class=\"breadcrumb-item\" aria-current=\"page\">Saruman</li>\n</ol></nav>", @page.breadcrumb
   end
-  
-  test 'guard against malicious filenames' do
-    malicious_title = '<img src=x onerror=alert(1) />'
-    @page.instance_variable_set("@path", malicious_title)
-    @page.instance_variable_set("@base_url", "")
-    assert @page.breadcrumb.include?(">%3Cimg+src%3Dx+onerror%3Dalert%281%29+</a>")
-  end
 
   test "breadcrumb with no path" do
     assert_equal 'Home', @page.breadcrumb

test/test_page_view.rb

@@ -12,17 +12,6 @@ context "Precious::Views::Page" do
   teardown do
     FileUtils.rm_rf(@path)
   end
-  
-  test 'guard against malicious filenames' do
-    malicious_title = '<img src=x onerror=alert(1) />'
-    @wiki.write_page(malicious_title, :markdown, 'Is Bilbo a hobbit? Why certainly!')
-    page = @wiki.page(malicious_title)
-    @view = Precious::Views::Page.new
-    @view.instance_variable_set :@page, page
-    @view.instance_variable_set :@content, page.formatted_data
-    @view.instance_variable_set :@h1_title, false
-    assert @view.breadcrumb.include?(">%3Cimg+src%3Dx+onerror%3Dalert%281%29+</a>")
-  end
 
   test "h1 title sanitizes correctly" do
     title = 'H1'