osr-discourse-src

Archived

This repository has been archived on 2023-03-18. You can view files and clone it, but cannot push or open issues or pull requests.

Author	SHA1	Message	Date
Blake Erickson	4dd8f6e486	Version bump	2023-03-16 17:54:40 -06:00
Penar Musaraj	c02cbd9645	Version bump	2023-01-25 13:50:36 -05:00
OsamaSayegh	65b863ee54	Version bump	2023-01-11 08:41:04 +03:00
Alan Guo Xiang Tan	21252f9a4d	Version bump	2023-01-05 09:47:19 +08:00
Alan Guo Xiang Tan	54141ba674	SECURITY: Convert send_digest to a post request (#19747 ) Co-authored-by: Isaac Janzen <isaac.janzen@discourse.org>	2023-01-05 06:57:35 +08:00
Alan Guo Xiang Tan	ba086ac8b7	SECURITY: use rstrip instead of regex gsub to prevent ReDOS (#19745 ) `rstrip` implementation is much more performant than regex Co-authored-by: Krzysztof Kotlarek <kotlarek.krzysztof@gmail.com>	2023-01-05 06:20:59 +08:00
Alan Guo Xiang Tan	c852911801	SECURITY: Delete email tokens when a user's email is changed or deleted (#19744 ) Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>	2023-01-05 06:20:49 +08:00
Alan Guo Xiang Tan	9dee2cf53b	SECURITY: Check the length of raw post body (#19743 ) Co-authored-by: Jarek Radosz <jradosz@gmail.com>	2023-01-05 06:20:42 +08:00
Alan Guo Xiang Tan	fa622ebffc	SECURITY: escape quotes in tag description when rendering (#19742 ) Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>	2023-01-05 06:20:35 +08:00
Alan Guo Xiang Tan	6db4c3a894	SECURITY: BCC active user emails from group SMTP (#19741 ) When sending emails out via group SMTP, if we are sending them to non-staged users we want to mask those emails with BCC, just so we don't expose them to anyone we shouldn't. Staged users are ones that have likely only interacted with support via email, and will likely include other people who were CC'd on the original email to the group. Co-authored-by: Martin Brennan <martin@discourse.org>	2023-01-05 06:20:27 +08:00
Alan Guo Xiang Tan	f4e319d230	SECURITY: Don't expose user post counts to users who can't see the topic (#19740 ) Co-authored-by: Penar Musaraj <pmusaraj@gmail.com> Co-authored-by: Daniel Waterworth <me@danielwaterworth.com> Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>	2023-01-05 06:20:11 +08:00
Alan Guo Xiang Tan	63758c2771	SECURITY: Sanitize PendingPost titles before rendering to prevent XSS (#19739 ) Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>	2023-01-05 06:20:03 +08:00
Alan Guo Xiang Tan	93b7ad2b14	Version bump	2023-01-03 14:30:56 +08:00
Daniel Waterworth	8c072977f5	Version bump	2022-11-29 11:04:57 -06:00
Martin Brennan	d93e5a84d1	Version bump	2022-11-28 11:00:16 +10:00
Martin Brennan	4dc89cb0cc	Version bump	2022-11-14 13:09:57 +10:00
Bianca Nenciu	34da679752	SECURITY: Correctly render link title in draft preview (#18957 ) The additional unescaping could cause link titles to be rendered incorrectly.	2022-11-09 15:54:53 +02:00
David Taylor	ce44c05e83	Version bump	2022-11-01 17:00:58 +00:00
Alan Guo Xiang Tan	adf5e1ca97	SECURITY: Restrict display of topic titles associated with user badges (#18768 ) (#18769 ) Before this commit, we did not have guardian checks in place to determine if a topic's title associated with a user badge should be displayed or not. This means that the topic title of topics with restricted access could be leaked to anon and users without access if certain conditions are met. While we will not specify the conditions required, we have internally assessed that the odds of meeting such conditions are low. With this commit, we will now apply a guardian check to ensure that the current user is able to see a topic before the topic's title is included in the serialized object of a `UserBadge`.	2022-10-27 11:47:53 +08:00
Alan Guo Xiang Tan	ebc498945b	DEV: Introduce TopicGuardian#can_see_topic_ids method (#18692 ) (#18766 ) Before this commit, there was no way for us to efficiently check an array of topics for which a user can see. Therefore, this commit introduces the `TopicGuardian#can_see_topic_ids` method which accepts an array of `Topic#id`s and filters out the ids which the user is not allowed to see. The `TopicGuardian#can_see_topic_ids` method is meant to maintain feature parity with `TopicGuardian#can_see_topic?` at all times so a consistency check has been added in our tests to ensure that `TopicGuardian#can_see_topic_ids` returns the same result as `TopicGuardian#can_see_topic?`. In the near future, the plan is for us to switch to `TopicGuardian#can_see_topic_ids` completely but I'm not doing that in this commit as we have to be careful with the performance impact of such a change. This method is currently not being used in the current commit but will be relied on in a subsequent commit.	2022-10-27 07:46:38 +08:00
Alan Guo Xiang Tan	b76828df7e	DEV: Remove harded id when fabricating in tests (#18729 ) (#18731 ) Hardcoding ids always lead to sadness for our test suite	2022-10-25 06:31:05 +08:00
Alan Guo Xiang Tan	17f700475c	DEV: Fabricate instead of just building topic, post and user in tests (#18698 ) (#18716 ) Building does not persist the object in the database which is unrealistic since we're mostly dealing with persisted objects in production. In theory, this will result our test suite taking longer to run since we now have to write to the database. However, I don't expect the increase to be significant and it is actually no different than us adding new tests which fabricates more objects.	2022-10-24 07:28:06 +08:00
Osama Sayegh	ca52e9a019	FIX: Workaround a bug in the R2 gem to produce valid RTL CSS (#18446 ) See the comment in the changed file for details. Meta report: https://meta.discourse.org/t/main-css-and-mobile-style-not-working-after-update-2-9-0-beta10/240553?u=osama.	2022-10-02 23:03:22 +03:00
Jarek Radosz	d4adf6fa66	Version bump # Conflicts: # app/assets/javascripts/discourse/app/widgets/post-cooked.js # db/migrate/20220920044310_enforce_user_profile_max_limits.rb # spec/requests/admin/themes_controller_spec.rb	2022-09-29 20:41:00 +02:00
Jarek Radosz	f224eb8601	SECURITY: Prevent arbitrary file write when decompressing files (beta) (#18422 ) * SECURITY: Prevent arbitrary file write when decompressing files * FIX: Allow decompressing files into symlinked directories Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com> Co-authored-by: Gerhard Schlager <gerhard.schlager@discourse.org>	2022-09-29 20:14:47 +02:00
Jarek Radosz	8f62bc97ce	SECURITY: moderator shouldn't be able to import a theme via API (beta) (#18419 ) * SECURITY: moderator shouldn't be able to import a theme via API. * DEV: apply `AdminConstraint` for all the "themes" routes. Co-authored-by: Vinoth Kannan <svkn.87@gmail.com>	2022-09-29 20:13:23 +02:00
Jarek Radosz	25269bcc73	SECURITY: Handle incomplete quote bbcode (#18312 )	2022-09-21 14:03:01 +02:00
Martin Brennan	47a5aaabfb	SECURITY: Limit user profile field length (#18302 ) (#18303 ) Adds limits to location and website fields at model and DB level to match the bio_raw field limits. A limit cannot be added at the DB level for bio_raw because it is a postgres text field. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>	2022-09-21 13:30:51 +10:00
Loïc Guitaut	6454395864	Version bump	2022-08-10 14:59:56 +02:00
Krzysztof Kotlarek	224d61e8c5	SECURITY: Limit email invitations to topic	2022-08-10 11:43:30 +02:00
romanrizzi	235f6197d0	Version bump	2022-07-27 17:13:41 -03:00
David Taylor	3ab619994f	FIX: Allow Symbol objects to be deserialized in PostRevision (beta) (#17511 ) Followup to `ee07f6da7d`	2022-07-15 13:15:06 +01:00
David Taylor	cd5b2079bd	FIX: Allow Time objects to be deserialized in PostRevision (beta) (#17503 ) Followup to `ee07f6da7d`	2022-07-15 00:17:27 +01:00
David Taylor	9b1a32455a	Version bump	2022-07-13 12:43:40 +01:00
David Taylor	a1d6cf99c2	SECURITY: Validate email constraints when trying to redeem an invite (beta) (#17174 ) In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>	2022-07-06 10:45:29 +01:00
Natalie Tay	d1c34cfca7	Merge pull request #17285 from discourse/updated-beta Updated beta	2022-06-30 18:10:31 +08:00
OsamaSayegh	f97b6a7dde	Version bump	2022-06-30 12:45:07 +03:00
Blake Erickson	925da123d9	Merge pull request #17079 from discourse/updated-beta Updated beta	2022-06-13 16:06:22 -06:00
Blake Erickson	f99cbdce33	Version bump	2022-06-13 15:28:33 -06:00
Alan Guo Xiang Tan	16778b8c92	FIX: Approves user when redeeming an invite for invites only sites (#16986 ) When a site has `SiteSetting.invite_only` enabled, we create a `ReviewableUser`record when activating a user if the user is not approved. Therefore, we need to approve the user when redeeming an invite. There are some uncertainties surrounding why a `ReviewableRecord` is created for a user in an invites only site but this commit does not seek to address that. Follow-up to `7c4e2d33fa`	2022-06-03 14:51:08 +08:00
Gerhard Schlager	75f274d967	SECURITY: Remove auto approval when redeeming an invite (#16975 ) This security fix affects sites which have `SiteSetting.must_approve_users` enabled. There are intentional and unintentional cases where invited users can be auto approved and are deemed to have skipped the staff approval process. Instead of trying to reason about when auto-approval should happen, we have decided that enabling the `must_approve_users` setting going forward will just mean that all new users must be explicitly approved by a staff user in the review queue. The only case where users are auto approved is when the `auto_approve_email_domains` site setting is used. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>	2022-06-02 16:10:58 +02:00
David Taylor	30163f0340	FIX: Ensure values are escaped in select-kit dropdowns (#16587 ) The values in Discourse dropdown menus only come from admin-defined strings, not unsanitised end-user input, so this lack of escaping was not exploitable.	2022-04-28 16:44:17 +01:00
Penar Musaraj	c3a2561121	Version bump	2022-04-14 10:12:57 -04:00
Alan Guo Xiang Tan	0f65b53f3d	SECURITY: Update Nokogiri to 1.13.4. Nokogiri 1.13.4 updates zlib to 1.2.12 to address CVE-2018-25032. https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5 https://nvd.nist.gov/vuln/detail/CVE-2018-25032	2022-04-12 14:38:46 +08:00
Alan Guo Xiang Tan	591db6e20b	DEV: Add pretender endpoint for category visible groups. This was causing our build to become flaky.	2022-04-11 11:43:39 +08:00
Alan Guo Xiang Tan	8f6d54a920	SECURITY: Category group permissions leaked to normal users. After this commit, category group permissions can only be seen by users that are allowed to manage a category. In the past, we inadvertently included a category's group permissions settings in `CategoriesController#show` and `CategoriesController#find_by_slug` endpoints for normal users when those settings are only a concern to users that can manage a category.	2022-04-08 11:04:40 +02:00
Bianca Nenciu	ae28bd4a54	FIX: Serialize permissions for everyone group The permissions for the 'everyone' group were not serialized because the list of groups a user can view did not include it. This bug was introduced in commit `dfaf9831f7`.	2022-04-08 11:04:40 +02:00
Martin Brennan	64aac6092d	DEV: Fix failing share topic tests (#16309 ) Since `3fd7b31a2a` some tests were failing with this error: > Error: Unhandled request in test environment: /c/feature/find_by_slug.json > (GET) at http://localhost:7357/assets/test-helpers.js This commit fixes the issue by adding the missing pretender. Also noticed while fixing this that the parameter for the translation was incorrect -- it was `group` instead of `groupNames`, so that is fixed here too, along with moving the onShow functions into @afterRender decorated private functions. There is no need for the appevent listeners.	2022-04-08 11:04:40 +02:00
Bianca Nenciu	21b8c7e120	FIX: Show restricted groups warning when necessary (#16236 ) It was displayed for the "everyone" group too, but that was not necessary.	2022-04-08 11:04:40 +02:00
Alan Guo Xiang Tan	ed02cfbabb	DEV: Restore order assertion in category serializer tests. (#16344 ) Our group fabrication creates groups with name "my_group_#{n}" where n is the sequence number of the group being created. However, this can cause the test to be flaky if and when a group with name `my_group_10` is created as it will be ordered before `my_group_9`. This commits makes the group names determinstic to eliminate any flakiness. This reverts commit `558bc6b746`.	2022-04-01 09:13:12 +08:00
David Taylor	0b509439f6	DEV: Fix flaky specs (#16340 ) `group_permissions` are not serialized in a consistent order Follow-up to `dfaf9831f7`	2022-04-01 09:13:12 +08:00
Alan Guo Xiang Tan	81ab6569b5	SECURITY: Avoid leaking private group name when viewing category. (#16338 ) In certain instances when viewing a category, the name of a group with restricted visilbity may be revealed to users which do not have the required permission.	2022-03-31 15:05:12 +08:00
Martin Brennan	80a40ebaa6	SECURITY: Hide private categories in user activity export (#16273 ) (#16275 ) In some of the user's own activity export data, we sometimes showed a secure category's name or exposed the existence of a secure category.	2022-03-24 15:56:29 +10:00
Neil Lalonde	b1b643c794	Version bump	2022-03-22 14:49:11 -04:00
Alan Guo Xiang Tan	2c4523e19b	DEV: Run tests on push to beta and stable branch too. (#16221 )	2022-03-18 12:08:23 +08:00
Alan Guo Xiang Tan	94b0d4f3cf	DEV: Pull compatible version for plugins in Github test workflow. (#16220 ) We have 3 branches which we care about, `main`, `beta` and `stable`. However, each of this branch has different compatibilties with plugins and we want to respect that.	2022-03-18 11:28:05 +08:00
Krzysztof Kotlarek	1a46b092fc	Version bump	2022-02-14 15:52:34 +11:00
Krzysztof Kotlarek	d81e9b0430	Version bump to v2.9.0.beta2	2022-02-14 15:52:01 +11:00
Krzysztof Kotlarek	3f70e47c90	SECURITY: Onebox response timeout and size limit (#15927 ) Validation to ensure that Onebox request is no longer than 10 seconds and response size is not bigger than 1 MB	2022-02-14 12:12:45 +11:00
Neil Lalonde	c7ac0b74a7	Version bump	2022-01-27 10:55:08 -05:00
Neil Lalonde	42c71789f9	Version bump	2022-01-13 10:37:38 -05:00
David Taylor	2fcc8ae64a	FIX: Bypass service worker on the SSO path (#15558 ) (#15561 ) This is a workaround a behavior change in Chromium v97. The following text was sent to the blink-dev mailing list: > This change broke a SingleSignOn login on the FOSS software Discourse. We have a flow like: > > 1. User visits forum.siteA.com, click login > 2. Gets redirected to idp.siteB.com > 3. Fills login details > 4. Gets redirected to forum.siteA.com/session/sso_login?parameters > 5. Gets redirected to forum.siteA.com/homepage > > On step 4, the response includes a `set-cookie` header, with proper `HttpOnly; SameSite=Lax; Secure `and set. But if there is an active service worker, the login will fail as that cookie will be rejected by Chromium due to SameSite rules now. > > t=2971 [st=258] COOKIE_INCLUSION_STATUS > --> domain = "forum.siteA.com" > --> name = "_t" > --> operation = "store" > --> path = "/" > --> status = "EXCLUDE_SAMESITE_LAX, DO_NOT_WARN" > > The service worker is a vanilla WorkboxJS service worker that intercepts all GETs with the "Network First" strategy. > > Disabling the service worker or using Firefox results in a successful login. There is no warning in either DevTools network tab nor the console that the cookie was rejected. > > Chrome 96: login works > Chrome 97: login does not work > Chrome 98: login does not work > > Is this expected behavior? Even if the request `GET forum.siteA.com` was initiated because of a redirect from a different domain, is it expected that Chrome will silently drop same site cookies from forum.siteA.com? Co-authored-by: Rafael dos Santos Silva <xfalcox@gmail.com>	2022-01-13 00:08:42 +00:00
Dan Ungureanu	6de36e75af	SECURITY: Do not sign in unapproved users (#15552 )	2022-01-12 22:25:37 +02:00
Alan Guo Xiang Tan	840648c316	SECURITY: Advanced group search did not respect visiblity of groups.	2022-01-10 13:49:32 +08:00
Bianca Nenciu	2b9d3c18e1	SECURITY: Hide user's bio if profile is restricted (#15448 ) The bio was sometimes visible in the meta tags even though it it should not have been.	2022-01-07 14:18:20 +02:00
Arpit Jalan	ca5feb4920	SECURITY: only show user suggestions with regular post (#15436 )	2022-01-03 13:53:06 +05:30
Jarek Radosz	54ca0dbd38	FIX: SiteSetting.title was being polluted in StaticController (#15385 ) Regressed in #15324	2021-12-21 19:43:57 -05:00
Neil Lalonde	9f41fe60df	Version bump	2021-12-21 13:25:21 -05:00
Alan Guo Xiang Tan	74746c8bc3	SECURITY: Disable MessageBus::Diagnostics. MessageBus::Diagnostics allows anyone with access to carry out certain operations that may result in a denial of service. The impact of this is greater on multisiite clusters.	2021-12-17 14:44:54 +08:00
David Taylor	e4759ae9f2	DEV: Fix ember CLI bootstrap logic (#15161 ) When `1fa7a87f` was rebased onto `main`, it didn't take into account the recent changes in `c0781d7d`. This commit updates the logic to work properly.	2021-12-01 18:42:15 +00:00
Neil Lalonde	ca4ac732b8	Version bump	2021-12-01 11:43:14 -05:00
Natalie Tay	1b9a807cbb	SECURITY: Only show tags to users with permission (#15148 )	2021-12-01 10:32:03 +08:00
Martin Brennan	8fba9be113	SECURITY: Strip unrendered unicode bidirectional chars in code blocks (#15032 ) When rendering the markdown code blocks we replace the offending characters in the output string with spans highlighting a textual representation of the character, along with a title attribute with information about why the character was highlighted. The list of characters stripped by this fix, which are the bidirectional characters considered relevant, are: U+202A U+202B U+202C U+202D U+202E U+2066 U+2067 U+2068 U+2069	2021-11-22 10:44:16 +10:00
Neil Lalonde	fcbfd7eccd	Version bump	2021-11-15 11:15:15 -05:00
Neil Lalonde	414d39f883	Version bump	2021-10-20 17:32:28 -04:00
Bianca Nenciu	5e82006fb3	SECURITY: Escape watched word in error message (#14434 )	2021-09-24 13:37:23 +03:00
Neil Lalonde	692d3fb4de	Version bump	2021-09-02 14:27:00 -04:00
Sam Saffron	1d63e23984	Revert "Build(deps): Bump oj from 3.13.2 to 3.13.3 (#14202 )" This reverts commit `1a65f0bfbb`. New Oj gem has issues see: https://github.com/ohler55/oj/issues/699	2021-09-02 16:10:37 +10:00
Neil Lalonde	137d57c5dd	Merge diffs from main	2021-09-01 13:32:16 -04:00
Neil Lalonde	29df250942	Version bump	2021-09-01 13:30:53 -04:00
Blake Erickson	764df93203	SECURITY: escape cat name (#14156 )	2021-08-25 18:14:20 -06:00
Alan Guo Xiang Tan	c68f2fe461	SECURITY: Destroy `EmailToken` when `EmailChangeRequest` is destroyed (#13950 ) (#14024 ) Co-authored-by: jbrw <jamie@goatforce5.org>	2021-08-12 15:12:43 +10:00
Alan Guo Xiang Tan	37c44e47fc	SECURITY: User's read state for topic is leaked to unauthorized clients. A user's read state for a topic such as the last read post number and the notification level is exposed.	2021-08-12 12:44:45 +08:00
Bianca Nenciu	9aa59fe215	SECURITY: Sanitize d-popover attributes (#13958 )	2021-08-05 16:40:20 +03:00
Alan Guo Xiang Tan	c8d76796f5	DEV: Make rubocop happy.	2021-07-23 16:38:26 +08:00
Alan Guo Xiang Tan	99c2b75dd4	SECURITY: Don't leak user of previous whisper post when deleting a topic. A topic's last poster can be incorrectly set to a user of a whisper post if the whisper post is before the last post and the last post is deleted.	2021-07-23 16:38:24 +08:00
Alan Guo Xiang Tan	a51f0d53e5	SECURITY: Do not reveal post whisperer in personal messages. Prior to this fix, post whisperer in personal messages are revealed in the topic's participants list even though non-staff users are unable to see the whisper.	2021-07-23 16:38:21 +08:00
Neil Lalonde	93e91879c7	Version bump	2021-07-22 12:27:27 -04:00
Martin Brennan	8bec292ec4	SECURITY: Validate period param for top topic routes (#13818 ) Fixes a possible SQL injection vector	2021-07-22 10:06:28 +02:00
Neil Lalonde	a615eecd36	Version bump	2021-07-15 14:56:25 -04:00
Bianca Nenciu	ffec25da9c	FIX: TL4 users cannot delete others posts (#13554 )	2021-07-06 12:05:29 +03:00
Arpit Jalan	70e37e84e4	SECURITY: Onebox canonical links bypassing FinalDestination checks	2021-07-01 20:13:27 +05:30
Joffrey JAFFEUX	ce1abdf273	SECURITY: ensures timeouts are correctly used on connect (#13455 )	2021-06-22 12:27:26 +02:00
Neil Lalonde	d0e09c512c	Version bump	2021-06-08 11:30:09 -04:00
Régis Hanol	9ee80ebb7f	SECURITY: XSS in bookmarks list (#13311 ) We should use `fancy_title` instead of `title` when displaying a topic title to ensure only the allowed html is not escaped.	2021-06-07 16:52:10 +02:00
Neil Lalonde	3fbdfc5f8d	Version bump	2021-05-18 16:40:16 -04:00
Blake Erickson	bc1bce1ec8	Revert "DEV: Drop old IE11 intersection-observer references" (#13017 ) (#13018 ) This reverts commit `7360a0f70f`. iOS still wants this sometimes. Probably best to revert for now and we can always remove this again later. See: https://meta.discourse.org/t/189799/11?u=blake	2021-05-10 17:53:55 -06:00
Neil Lalonde	1f72e631a2	Version bump	2021-05-10 11:31:34 -04:00
David Taylor	4d0f6f07c0	SECURITY: Bump Rails to 6.1.3.2 (#12963 ) (#12964 ) Includes fixes for - CVE-2021-22902 - CVE-2021-22903 - CVE-2021-22904 - CVE-2021-22885 https://github.com/rails/rails/blob/v6.1.3.2/actionpack/CHANGELOG.md	2021-05-06 13:26:26 +01:00
Neil Lalonde	992587f836	Version bump	2021-04-29 13:40:46 -04:00
Bianca Nenciu	8bc71df896	FIX: Gracefully handle inline images in emails (#12855 )	2021-04-29 10:38:36 +03:00
Bianca Nenciu	dcab937030	FIX: Replace use of regular expression (#12838 ) It used a regular expression to check if message IDs were in RFC format.	2021-04-27 17:16:27 +03:00
Neil Lalonde	fad6e645fb	Version bump	2021-04-14 10:57:45 -04:00
Sam	9fb0d287bf	FIX: automatically timeout long running image magick commands (#12670 ) Previously certain images may lead to convert / identify to run for unreasonable amounts of time This adds a maximum amount of time these commands can run prior to forcing them to stop	2021-04-12 13:48:54 +03:00
Neil Lalonde	75c4ba2d0f	Version bump	2021-04-07 15:12:02 -04:00
Martin Brennan	3c722be96f	SECURITY: Fix is_private_ip for RateLimiter to cover all cases (#12464 ) The regular expression to detect private IP addresses did not always detect them successfully. Changed to use ruby's in-built IPAddr.new(ip_address).private? method instead which does the same thing but covers all cases.	2021-03-22 14:03:15 +10:00
Neil Lalonde	47593053d0	Version bump	2021-03-10 13:47:02 -05:00
Arpit Jalan	efb4a55b9b	FIX: do not send rejection emails to auto-deleted reviewable users (#12160 ) FIX: add context when user is deleted via auto handle queued reviewable FIX: do not delete email_log when a user is deleted	2021-02-22 22:07:37 +05:30
Neil Lalonde	33df4233c9	Version bump	2021-02-18 14:24:10 -05:00
David Taylor	db38b379fe	SECURITY: Attach DiscourseConnect (SSO) nonce to current session (#12124 )	2021-02-18 10:47:00 +00:00
Arpit Jalan	cb42d24c96	FIX: process new invites when existing users are already group members (#11971 ) If a list of email addresses is pasted into a group’s Add Members form that has one or more email addresses of users who already belong to the group and all other email addresses are for users who do not yet exist on the forum then no invites were being sent. This commit ensures that we send invites to new users.	2021-02-05 09:59:48 +05:30
Martin Brennan	a692f93571	DEV: Move logic for rate limiting user second factor to one place (#11941 ) This moves all the rate limiting for user second factor (based on `params[:second_factor_token]` existing) to the one place, which rate limits by IP and also by username if a user is found.	2021-02-04 09:05:14 +10:00
Robin Ward	df49194953	SECURITY: Rate limit MFA by login if possible (#11938 ) This ensures we rate limit on logins where possible, we also normalize logins for the rate limiters centrally.	2021-02-03 10:31:44 +11:00
Sam Saffron	083988cb44	msgpack 1.4.1 was yanked - use 1.4.2	2021-02-03 10:31:17 +11:00
Neil Lalonde	f83eaad496	Version bump	2021-01-28 12:55:34 -05:00
Neil Lalonde	47e7a10d6e	Version bump	2021-01-21 14:54:20 -05:00
Arpit Jalan	b94be27834	Bump onebox gem to 2.2.1 - do not show title only oneboxes - allow oneboxes with title and image	2020-12-24 11:07:41 +05:30
Neil Lalonde	234b5780c3	Version bump	2020-11-30 17:47:48 -05:00
Sam	7e766d76d0	FIX: correct cdn path (#11324 ) This was a typo in `a118ec13`	2020-11-24 14:35:01 +11:00
Sam	6eb9d73d80	FIX: stop including GlobalPath in default context (#11323 ) We do not want these method names to clash, instead encapsulate the helpers so we do not add methods to Kernel Correct a but exposed by Ruby 2.7	2020-11-24 14:34:57 +11:00
Neil Lalonde	ccc2c940bf	Version bump	2020-11-19 13:59:15 -05:00
Dan Ungureanu	7db4d0ac84	FIX: Add dummy themes:update task (#11261 )	2020-11-17 11:45:47 +02:00
David Taylor	837ef6f2e5	FIX: Remove 4 month limit on IgnoredUser records (#11105 ) `b8c676e7` added the 'forever' option to the UI, and this is correctly stored in the database. However, we had a hard-coded limit of 4 months in the cleanup job. This commit removes the limit, so ignores can last forever.	2020-11-03 12:28:18 +00:00
Neil Lalonde	bce103b199	Version bump	2020-10-30 12:24:02 -04:00
Martin Brennan	bd8f0d0d94	FIX: Prevent slow bookmark first post reminder at query for topic (#11024 ) On forums with a large amount of posts when a user had a bookmark in the topic, PostgreSQL was using an inefficient query plan to fetch the first post of the topic. When running this ActiveRecord query: ``` topic.posts.with_deleted.where(post_number: 1).first ``` The following query plan was produced: ``` Limit (cost=0.43..583.49 rows=1 width=891) (actual time=3850.515..3850.515 rows=1 loops=1) -> Index Scan using posts_pkey on posts (cost=0.43..391231.51 rows=671 width=891) (actual time=3850.514..3850.514 rows=1 loops=1) Filter: ((topic_id = 160918) AND (post_number = 1)) Rows Removed by Filter: 2274520 Planning time: 0.200 ms Execution time: 3850.559 ms (6 rows) ``` The issue here is the combination of ORDER BY and LIMIT causing the ineficcient Index Scan using posts_pkey on posts to be used. When we correct the AR call to this: ``` topic.posts.with_deleted.find_by(post_number: 1) ``` We end up with a query that still has a LIMIT but no ORDER BY, which in turn creates a much more efficient query plan: ``` Limit (cost=0.43..1.44 rows=1 width=891) (actual time=0.033..0.034 rows=1 loops=1) -> Index Scan using index_posts_on_topic_id_and_post_number on posts (cost=0.43..678.82 rows=671 width=891) (actua l time=0.033..0.033 rows=1 loops=1) Index Cond: ((topic_id = 160918) AND (post_number = 1)) Planning time: 0.167 ms Execution time: 0.072 ms (5 rows) ``` This query plan uses the correct index, `Index Scan using index_posts_on_topic_id_and_post_number on posts`. Note that this is only a problem on forums with a larger amount of posts; tiny forums would not notice the difference. On large forums a query for a topic that takes 1s without a bookmark can take 8-30 seconds, and even end up with 502 errors from nginx.	2020-10-27 16:06:59 +10:00
Neil Lalonde	4207152390	Merge diffs from master	2020-10-15 14:21:34 -04:00
Neil Lalonde	6777a465ea	Version bump	2020-10-15 14:19:08 -04:00
Martin Brennan	810d6febb5	FIX: Confirm new email not sent for staff if email disabled with "non-staff" option (#10794 ) See https://meta.discourse.org/t/email-address-change-confirmation-email-not-sent-but-every-other-notification-emails-are/165358 In short: with disable emails set to non-staff, email address change confirmation emails (those sent to the new address) are not sent for staff or admin members. This was happening because we were looking up the staff user with the to_address of the email, but the to address was the new email address because we are sending a confirm email change email, and thus the user could not be found. We didn't need to do this anyway because we are passing the user into the Email::Sender class anyway.	2020-10-08 14:29:25 +10:00
Roman Rizzi	f1f6bced01	SECURITY: Ensure users can see the topic before setting a topic timer. (#10841 )	2020-10-06 17:10:09 -03:00
Robin Ward	59dee76b34	DEV: Add support for `api-initializers` to reduce boilerplate. You can now create a file in your plugin/theme in the `api-initializers` directory which has a simpler template than previous initializers. Example: ``` // api-initializers/my-plugin.js import { apiInitializer } from "discourse/lib/api"; export default apiInitializer("0.8", api => { console.log("hello world from api initializer!"); }); ```	2020-09-30 16:07:15 -04:00
Neil Lalonde	ccfdb7eb39	Merge diffs from master	2020-09-24 16:07:12 -04:00
Neil Lalonde	1de85c0b1d	Version bump	2020-09-24 16:06:20 -04:00
Krzysztof Kotlarek	1d5dfb4563	SECURITY: return error on oversized images	2020-09-14 11:30:38 +10:00
Guo Xiang Tan	8f064ae97b	DEV: Correct use of `sanitize_sql_array` in `TopicQuery`.	2020-09-08 10:30:46 +02:00
Guo Xiang Tan	4025bcedaf	DEV: Address review comments for `5ed84d9885`.	2020-09-08 10:30:40 +02:00
Guo Xiang Tan	954da93bf8	SECURITY: Remove indication that a group exists if user can't see it. Minor security fix but we should not leak any hints that a group exists even if a user does not have access to the group.	2020-09-08 10:30:35 +02:00
Guo Xiang Tan	e7d94b8d6f	SECURITY: Don't allow moderators to list PMs of all groups. * Also return 404 when a user is trying to list PMs of a group that cannot be accessed by the user.	2020-09-08 10:30:29 +02:00
Gerhard Schlager	2350947f65	FIX: Backups should use relative paths for local uploads This also ensures that restoring a backup works when it was created with the wrong upload paths in the time between `ab4c0a4970` (shortly after v2.6.0.beta1) and this fix.	2020-08-21 15:32:11 +02:00
Neil Lalonde	07d398e2e7	Merge diffs from master	2020-08-20 16:37:57 -04:00
Neil Lalonde	d5b9540449	Version bump	2020-08-20 16:36:52 -04:00
Jeff Wong	36b72e8141	FIX: allow plugin pinning to fetch missing commits Add update for fetching git commits if they do not exist, eg with clone --depth 1 - only can fetch via git fetch --depth 1 {remote} {ref} the ref needs to be a full, non-ambiguous reference.	2020-08-13 11:16:18 -07:00
Guo Xiang Tan	4931c8e913	Update rails_failover to 0.5.5.	2020-08-04 11:15:08 +08:00
Guo Xiang Tan	1ec32f8cd1	FIX: Exclude `DELETE` methods from invalid request with payload. Follow-up `105d560177` Our client side code is sending params as part of the request payload so that is going to be tricky to fix.	2020-08-03 17:06:04 +08:00
Guo Xiang Tan	ae5ca5756d	SECURITY: 413 for GET, HEAD or DELETE requests with payload.	2020-08-03 15:00:05 +08:00
Guo Xiang Tan	ed910b0227	DEV: Refactor anonymouse cache spec. Mainly to properly categorize `Middleware::AnonymousCache` vs `Middleware::AnonymousCache::Helper` specs.	2020-08-03 14:59:28 +08:00
Sam Saffron	6eaf3c6b39	DEV: upgrade mini_racer and libv8 This pushes v8 from Chrome 73 (March 2019) -> 84 (July 14 2020) Not expecting any user facing changes, but it is super nice to be on latest v8 :confetti:	2020-07-23 14:23:42 +05:30
Jeff Wong	e2049175d6	Support plugin and Theme compatibility version manifests (#9995 ) Adds a new rake task `plugin:checkout_compatible_all` and `plugin:checkout_compatible[plugin-name]` that check out compatible plugin versions. Supports a .discourse-compatibility file in the root of plugins and themes that list out a plugin's compatibility with certain discourse versions: eg: .discourse-compatibility ``` 2.5.0.beta6: some-git-hash 2.4.4.beta4: some-git-tag 2.2.0: git-reference ``` This ensures older Discourse installs are able to find and install older versions of plugins without intervention, through the manifest only. It iterates through the versions in descending order. If the current Discourse version matches an item in the manifest, it checks out the listed plugin target. If the Discourse version is greater than an item in the manifest, it checks out the next highest version listed in the manifest. If no versions match, it makes no change.	2020-07-16 18:03:28 -07:00
Martin Brennan	62498f3653	SECURITY: Add content-disposition: attachment for SVG uploads * strip out the href and xlink:href attributes from use element that are _not_ anchors in svgs which can be used for XSS * adding the content-disposition: attachment ensures that uploaded SVGs cannot be opened and executed using the XSS exploit. svgs embedded using an img tag do not suffer from the same exploit	2020-07-09 13:45:25 +10:00
Luke Clancy	4c6a4302df	Update category_featured_topic.rb (#10121 ) In my experience, does not catch the PG::UniqueViolation as ActiveRecord::RecordNotUnique is on top of it, so you should have both. I ran into this problem when creating large amounts of topics at the same time (I usually find this downstream in the source code when I pull it and change it there after each git clone)	2020-06-25 10:21:40 -04:00
Neil Lalonde	f407c88327	Version bump	2020-06-24 14:00:44 -04:00
Neil Lalonde	6893e72593	Version bump	2020-06-10 13:38:40 -04:00
Neil Lalonde	e5a7937177	Version bump	2020-06-01 14:14:38 -04:00
Jeff Wong	04347f1b2d	SECURITY: make find topic by slug adhere to SiteSetting.detailed_404 (#9898 )	2020-05-28 14:20:12 +05:30
Blake Erickson	03be23c73a	SECURITY: Use FinalDestination for topic embeds	2020-05-28 14:16:13 +05:30
Neil Lalonde	f9335244f8	Version bump	2020-05-26 11:13:30 -04:00
Robin Ward	79b97a18d2	SECURITY: ERB execution in custom Email Style	2020-05-21 14:48:48 -04:00
Joffrey JAFFEUX	56e2aeee77	FIX: reverts to use an observer to support loading more notifications (#9628 ) Apparently, didReceiveAttrs is not called when loading more notifications, this would require a more heavy refactoring.	2020-05-04 18:53:10 +02:00
Neil Lalonde	d46b486633	Version bump	2020-05-04 11:45:26 -04:00
Robin Ward	eeaa3816e1	SECURITY: Update onebox to add rel="noopener"	2020-04-29 10:57:31 -04:00
Joffrey JAFFEUX	9bbce5730d	FIX: fails gracefully if :scope is not handled by a browser (#9529 )	2020-04-23 16:52:22 +02:00
Joffrey JAFFEUX	160958715e	FIX: prevents constant composer reloading (#9528 )	2020-04-23 08:31:09 +02:00
Neil Lalonde	9e08d9da26	Merge diffs from master	2020-04-22 10:53:01 -04:00
Neil Lalonde	23fa6ff325	Version bump	2020-04-22 10:51:48 -04:00
Bianca Nenciu	a1c481e65a	SECURITY: Ensure user can see group and group members	2020-03-24 12:22:37 +02:00
David Taylor	5011c9cd2d	SECURITY: Respect topic permissions when loading draft metadata Co-authored-by: Sam Saffron <sam.saffron@gmail.com>	2020-03-23 11:54:03 +00:00
David Taylor	ebb0b94f73	DEV: Load plugin stylesheets before theme stylesheets (#9240 ) This is a more logical order, since themes are more lightweight than plugins, and are often used to augment plugin styles	2020-03-19 19:22:57 +00:00
Martin Brennan	b355f03448	FIX: Ensure show_short URLs handle secure uploads using multisite (#9212 ) Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite	2020-03-17 10:50:50 +10:00
Robin Ward	de4195be7e	Let's not log the username/password This could easily be seen by someone who shouldn't.	2020-03-11 12:54:02 -04:00
Sam Saffron	b3a4cf8ee6	FIX: last ip address could point at wrong ip Due to unicorn env object recycling request.ip could point at the wrong ip address by the time defer block is called. This usually would happen under load. This also avoids keeping the entire request object as referenced by the closure.	2020-03-11 17:46:18 +11:00
Robin Ward	64f11e6b6c	Revert "FIX: Don't allow people to clear the upload bucket while it's enabled" This reverts commit `4bb8db024c`.	2020-03-05 16:34:13 -05:00
Neil Lalonde	5c22c7fc80	Version bump	2020-03-05 16:10:54 -05:00
Robin Ward	8410e6f8c1	SECURITY: Add more restrictions on invite emails They could be filtered and returned in some circumstances where they shouldn't have been.	2020-03-05 09:56:22 -05:00
Robin Ward	525fd7c51f	SECURITY: Ensure the invite JSON API matches the UX Anonymous users could query the invite json and see counts and summaries which is not allowed in the UX of Discourse. This commit has those endpoints return a 403 unless the user is allowed to invite.	2020-03-05 09:56:13 -05:00
Joffrey JAFFEUX	32bf2e99c8	FIX: allows to select the action when agreeing with penalty (#9099 ) Note this commit also fixes an issue where the edit post actions was trying to focus the edit textarea, but was using jquery functions on a DOM node. scrollTo is not available on IE11 but that shouldn't cause much trouble.	2020-03-04 10:32:40 -05:00
Mark VanLandingham	db19f64b2b	FIX: Prettier on iframed-html component	2020-02-27 11:53:10 -06:00
Mark VanLandingham	ab133a7036	Merge pull request from GHSA-vw39-6w7q-gfx5 Co-authored-by: Robin Ward <robin.ward@gmail.com>	2020-02-27 11:50:03 -06:00
Neil Lalonde	f24d09b5c6	Version bump	2020-02-26 16:56:38 -05:00
Neil Lalonde	b6538bb306	Version bump	2020-02-13 16:57:19 -05:00
David Taylor	4da6833d6b	DEV: Bump omniauth-github from 1.3.0 to 1.4.0 (#8924 ) This switches the github API access to use header-based authentication, rather than the deprecated parameter-based method	2020-02-11 09:46:45 +00:00
Roman Rizzi	3f03914c94	FIX: Ensure sourcemap's source is correct. Uses the full assets path this time. (#8774 )	2020-01-24 15:58:34 -03:00
Neil Lalonde	fa68a20841	Merge diffs from master	2020-01-21 17:09:28 -05:00
Neil Lalonde	686c3f6a2f	Version bump	2020-01-21 17:08:31 -05:00
Régis Hanol	30e057c647	FIX: groups pagination was broken	2020-01-17 09:58:45 +01:00
Roman Rizzi	d70b0d32da	SECURITY: Do not create a notification if a staged user post gets quoted/linked inside a restricted category	2020-01-16 15:51:36 -03:00
Régis Hanol	50b5fd7711	SECURITY: use strict JSON parsing when parsing backup metadata	2020-01-15 21:56:29 +01:00
Régis Hanol	f6be51b86d	Revert "SECURITY: use strict JSON parsing when parsing backup metadata" This reverts commit `fe75b4a776`.	2020-01-15 15:54:51 +01:00
Martin Brennan	fe75b4a776	SECURITY: use strict JSON parsing when parsing backup metadata	2020-01-15 15:40:28 +01:00
Régis Hanol	edf7113b54	FIX: group membership leak FIX: raised a proper NotFound exception when filtering groups by username with invalid username. FIX: properly filter the groups based on current user visibility when viewing another user's groups. DEV: Guardian.can_see_group?(group) is now using Guardian.can_see_groups(groups) instead of duplicating the same code. FIX: spec for groups_controller#index when group directory is disabled for logged in user. FIX: groups_controller.sortable specs to actually test all sorting combinations. DEV: s/response_body/body/g for slightly shorter spec code. FIX: rewrote the "view another user's groups" specs to test all group_visibility and members_group_visibility combinations. DEV: Various refactoring for cleaner and more consistent code.	2020-01-15 15:37:08 +01:00
Martin Brennan	943f7e14c4	SECURITY: Improve second factor auth logic	2020-01-10 11:09:46 +10:00
Rafael dos Santos Silva	1ceaa396f2	FIX: Use cached MaxMind DB for longer Don't try to update the IP database as it's gone. This allows users to rebuild Discourse while we work on a proper fix / alternative database.	2019-12-31 13:06:11 -03:00
Michael Brown	ae77d184ba	FIX: cache_critical_dns was erroring without IPAddr * sometimes cache_critical_dns would error out since "IPAddr" was undefined * sometimes it autoloaded, so no error	2019-12-31 13:22:12 +05:30
Rafael dos Santos Silva	f4031b9754	DEV: Update Bundler (#8583 ) * DEV: Update Bundler Latest RubyGems 3.1.1 vendors bundler 2.1.0 again. And our base image build system even updates it to 2.1.1. After that it is unable to run a simple `bundle install` because of version mismatch. Updating bundler to the one that comes with our enforced Ruby version solves this. * DEV: Update bundler in CI too	2019-12-23 14:50:01 +05:30
Neil Lalonde	fab6eed917	Version bump	2019-12-19 14:07:44 -05:00
David Taylor	c0383f5a0d	SECURITY: Correct permission check when revoking user API keys	2019-12-17 11:06:49 +00:00
Krzysztof Kotlarek	c8845e6213	SECURITY: vulnerability in WildcardUrlChecker	2019-12-13 09:59:25 -05:00
Krzysztof Kotlarek	a2af9c07de	SECURITY: upgrade rack-mini-profiler to avoid possible XSS (#8537 )	2019-12-12 13:19:53 +11:00
Dan Ungureanu	e37cccfe7f	SECURITY: Ensure only image uploads can be inlined This prevents malicious files (for example special crafted XMLs) to be used in XSS attacks.	2019-12-11 17:19:24 +02:00
Dan Ungureanu	dd65629836	SECURITY: Remove event handlers from SVG files	2019-12-11 17:19:23 +02:00
Neil Lalonde	8d48707d9b	Version bump	2019-12-05 13:50:57 -05:00
Joffrey JAFFEUX	fbeb488ec5	DEV: s/\$redis/Discourse\.redis With manual merge for conflicts	2019-12-03 13:27:12 +01:00
Sam Saffron	14e9bea12f	DEV: Implement a faster Discourse.cache This is a bottom up rewrite of Discourse cache to support faster performance and a limited surface area. ActiveSupport::Cache::Store accepts many options we do not use, this partial implementation only picks the bits out that we do use and want to support. Additionally params are named which avoids typos such as "expires_at" vs "expires_in" This also moves a few spots in Discourse to use Discourse.cache over setex Performance of setex and Discourse.cache.write is similar.	2019-12-03 13:25:17 +01:00
Sam Saffron	bc6a643f5c	DEV: use Discourse.cache over Rails.cache With manual merge on lib/oneboxer.rb	2019-12-03 13:24:36 +01:00
Martin Brennan	1c558d3ecc	FIX: oneboxer.js infinitely retrying failed requests (#8414 ) * setFailedCache was used like a variable object, when it was in fact a function	2019-11-27 15:24:36 +10:00
Neil Lalonde	c35ecbea89	Version bump	2019-11-06 12:31:38 -05:00
David Taylor	d73e1ee753	FIX: Respond to user search correctly when category_id is blank Previously it would search for category_id=0, which does not exist. With the new permission checks, this returns a 404	2019-10-28 18:34:37 +00:00
David Taylor	b9b7d0cb70	DEV: Update users controller spec following user_search update	2019-10-28 12:41:52 +00:00
David Taylor	b24ab069cd	SECURITY: Check permissions when autocompleting mentions	2019-10-28 12:11:00 +00:00
Sam Saffron	15df856915	FIX: allow storage of non unique rows in oauth2_user_infos Certain DBs have duplicates already, if we want to ensure uniqueness here we need to decide first how to clean up existing data and confirm all the plugins expect this.	2019-10-25 13:13:57 +05:30
Dan Ungureanu	9ac871517d	PERF: Add index on group to category_groups (#8231 )	2019-10-23 15:20:10 +03:00
Dan Ungureanu	af3afe5940	PERF: Add unique index oauth2_user_infos(user_id, provider) (#8230 )	2019-10-23 15:20:07 +03:00
Neil Lalonde	2672410743	Version bump	2019-10-10 11:46:54 -04:00
Sam Saffron	7902dd201f	SECURITY: mini profiler enabled incorrectly for admins We expect mini profiler only to show up on accounts that are flagged as developer accounts. Unfortunately there was a bypass on any controllers that mix in ApplicationHelper	2019-10-09 12:50:24 +11:00
Neil Lalonde	ae6addeb2d	Merge diffs from master	2019-10-01 16:52:46 -04:00
Neil Lalonde	f55439e33e	Version bump	2019-10-01 16:51:58 -04:00
Robin Ward	cc5fc18f5f	SECURITY: Don't allow base_uri as embeddable host if none exist	2019-10-01 18:00:31 +02:00
Sam Saffron	21e0eebada	SECURITY: update rubyzip dependency This updates rubyzip library so that callers can trust entries when extracting files avoiding situations where a rogues zip imported by a rogue admin could cause a disk space issue.	2019-10-01 17:11:53 +10:00
Sam Saffron	f9bdbef16f	SECURITY: update rack-mini-profiler to latest to correct XSS This corrects an XSS in ?pp=help. Also removes the jQuery dependency from rack-mini-profiler and restricts memory sensitive profiling methods development only.	2019-10-01 16:56:30 +10:00
Penar Musaraj	382f6959fc	SECURITY: XSS when oneboxing user profile location field The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.	2019-09-17 16:38:58 -04:00
Robin Ward	85d6de7b00	Version bump	2019-09-06 16:09:03 -04:00
Neil Lalonde	33b93124d6	Version bump	2019-09-04 11:18:06 -04:00
Sam Saffron	d0919fdfb2	FEATURE: track date api key was last used Start tracking the date an api key was last used. This has already been the case for user_api_keys. This information can provide us with the ability to automatically expire unused api keys after N days.	2019-09-03 18:51:34 +02:00
Sam Saffron	c36f3485f0	FIX: report cached controller and action to loggers Previously we would treat all cached hits in anon cache as "other" This hinders analysis of cache performance and makes logging inaccurate	2019-09-03 18:51:28 +02:00
Sam Saffron	d94015fcff	FEATURE: anon cache reports data to loggers This allows custom plugins such as prometheus exporter to log how many requests are stored in the anon cache vs used by the anon cache. This metric allows us to fine tune cache behaviors	2019-09-03 18:51:20 +02:00
Sam Saffron	30f9200fc7	PERF: avoid filtering shared drafts when not used In some very specific cases (large sites) shared drafts can introduce a performance hit due to the mechanism used to filter out topics This avoids the entire process when shared drafts are not enabled	2019-08-29 11:35:47 +10:00
David Taylor	d6b1c1ce40	FIX: When activating via omniauth, create tokens after password reset Resetting a password invalidates all email tokens, so we need to create the tokens after the password reset.	2019-08-28 14:49:51 +01:00
David Taylor	91bff783b7	FIX: When activating a user, ensure the change is reflected immediately When activating a user via an external provider, this would cause the "this account is not activated" message to show on the first attempt, even though the account had been activated correctly.	2019-08-28 14:08:08 +01:00
David Taylor	9c39acfbb0	SECURITY: Reset password when activating an account via auth provider Followup to d693b4e35fe0e58c5578eae4a56c06dff4756ba2	2019-08-28 14:08:03 +01:00
Sam Saffron	a27f7e2781	PERF: no point updating the same columns twice We are unconditionally updating attributes anyway	2019-08-28 18:39:16 +10:00
Sam Saffron	aaafbd1ae5	FIX: add_to_serializer not correctly accounting for inheritance chains This is a very long standing bug we had, if a plugin attempted to amend a serializer core was not "correcting" the situation for all descendant classes this often only showed up in production cause production eager loads serializers prior to plugins amending them. This is a critical fix for various plugins	2019-08-27 18:23:50 +10:00
Gerhard Schlager	498ef7a4a3	Revert "FEATURE: Use configured quotation marks in fancy topic title" This reverts most of commit `ce8e099639`. The rake task to update fancy topic titles is still there, because that's useful even without this feature.	2019-08-26 16:28:15 +02:00
Sam Saffron	2e0274b598	SECURITY: add rate limiting to anon JS error reporting This adds a 1 minute rate limit to all JS error reporting per IP. Previously we would only use the global rate limit. This also introduces DISCOURSE_ENABLE_JS_ERROR_REPORTING, if it is set to false then no JS error reporting will be allowed on the site.	2019-08-20 11:32:45 +10:00
Arpit Jalan	227a8644f1	SECURITY: don't reveal category details to users that do not have access	2019-08-19 12:43:15 +05:30
David Taylor	c2da14925e	SECURITY: Restrict message-bus access on login_required sites	2019-08-14 10:10:24 +01:00
Gerhard Schlager	00d448105e	FIX: Disallow user self-delete when user posted in PMs All posts created by the user are counted unless they are deleted, belong to a PM sent between a non-human user and the user or belong to a PM created by the user which doesn't have any other recipients. It also makes the guardian prevent self-deletes when SSO is enabled.	2019-08-10 12:07:09 +02:00
Sam Saffron	011805f577	Revert "FEATURE: add Noindex to robots.txt for disallowed routes" This reverts commit `d84256a876`. This is not supported by Google and causes robots.txt to be flagged as invalid Removing Noindex	2019-07-30 11:37:27 +10:00
David Taylor	1c4c41107a	SECURITY: Sanitize email id for use as mutex key	2019-07-24 13:50:42 +01:00
David Taylor	60f710f2bd	SECURITY: Add confirmation screen when connecting associated accounts	2019-07-24 13:36:14 +01:00
Gerhard Schlager	0933cdf285	SECURITY: Validate backup chunk identifier	2019-07-22 08:45:09 +02:00
Neil Lalonde	a3c836541c	Version bump	2019-07-15 10:16:48 -04:00
Guo Xiang Tan	a3fccbc3c3	Fix the build. Follow up to `4b0cf7f6dd`.	2019-07-15 16:43:14 +08:00
Guo Xiang Tan	5516000740	SECURITY: XSS when displaying watched words in admin panel. The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.	2019-07-15 11:00:19 +08:00
Robin Ward	8c890fa64a	SECURITY: SQL injection with default categories This is a low severity security fix because it requires a logged in admin user to update a site setting via the API directly to an invalid value. The fix adds validation for the affected site settings, as well as a secondary fix to prevent injection in the event of bad data somehow already exists.	2019-07-11 13:52:59 -04:00
Robin Ward	154ad2b402	SECURITY: Upgrade lodash There is a security hole in lodash with prototype pollution. It's not clear if Discourse is affected but to be on the safe side we will upgrade right away. Note that the front end Discourse does not appear to use `defaultsDeep` in our custom build and should be protected.	2019-07-11 10:51:29 -04:00
Robin Ward	3d527546d7	SECURITY: XSS with title selector on preferences page Note this is very low severity as the group needs to be created with a default title that contains HTML, and group creation is restricted to staff members right now.	2019-07-09 17:35:11 -04:00
Robin Ward	1d67cc0e44	SECURITY: Strip HTML from invite emails We also strip new lines from the emails because it ruins the markdown formatting which expects a one line message.	2019-07-05 14:58:31 -04:00
Arpit Jalan	815dbdb082	FIX: creating new badge is failing on empty SQL query (#7837 )	2019-07-02 15:23:25 +05:30
Gerhard Schlager	fe98b0664a	FIX: Don't send notification email when user isn't allowed to see topic	2019-07-02 09:05:52 +10:00
Gerhard Schlager	86145ca975	DEV: Respond with error 400 to uploads requested via XHR follow-up to `13f38055`	2019-06-27 11:30:36 +02:00
Gerhard Schlager	ae8d0513c3	SECURITY: XSS in routes Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com> Co-authored-by: David Taylor <david@taylorhq.com>	2019-06-26 16:44:59 +02:00
Bianca Nenciu	bba4786df2	SECURITY: Escape email text for posts containing [details].	2019-06-26 16:44:52 +02:00
Neil Lalonde	0bf267a662	Version bump	2019-06-17 20:50:02 -04:00
David Taylor	db2b7b0b24	SECURITY: Add confirmation screen when logging in via user-api OTP	2019-06-17 18:18:25 +01:00
David Taylor	f19b9c8de8	SECURITY: Add confirmation screen when logging in via email link	2019-06-17 18:18:12 +01:00
Neil Lalonde	449d21b88c	Version bump	2019-06-10 13:10:51 -04:00
Penar Musaraj	3f2c8dcc2a	SECURITY: Bump Handlebars to version 4.1.2 WS-2019-0064: Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects prototype, thus allowing an attacker to execute arbitrary code on the server.	2019-06-05 15:16:50 -04:00
Neil Lalonde	9a9b0a6847	Version bump	2019-05-30 13:47:44 -04:00
Sam Saffron	1ab0f0ccb4	SECURITY: avoid use of send in favor of public_send	2019-05-07 17:21:04 +10:00
Joffrey JAFFEUX	a787f89440	FIX: ensures we have touches when starting pan event (#7435 )	2019-04-25 11:07:52 +02:00
Joffrey JAFFEUX	f5416a987f	Version bump	2019-04-24 16:23:00 +02:00
Sam Saffron	4a67301146	FEATURE: enable NGINX brotli support unconditionally Previously we would rely on enable brotli in the web template to turn this on, going forward this is default on	2019-04-11 12:42:23 +10:00
Robin Ward	e683e2d6b4	SECURITY: Update Handlebars to 4.1 This is to address: https://www.npmjs.com/advisories/755 It is a low priority fix, as Discourse does not allow end users to input raw handlebars templates.	2019-04-10 16:08:26 -04:00
Guo Xiang Tan	b5cce6c276	Version bump.	2019-04-08 12:37:44 +08:00
Guo Xiang Tan	597c7c4bca	SECURITY: Remove XSS in composer preview when applying image scale buttons.	2019-04-08 12:10:39 +08:00
Robin Ward	1bd0e1a32e	FIX: Sometimes queued post would have a string for a category In this case, don't migrate the old queued post category	2019-04-06 20:39:14 -04:00
Neil Lalonde	4b2cbf8858	Version bump	2019-04-05 12:24:37 -04:00
Neil Lalonde	be4b531072	Version bump	2019-03-28 11:05:56 -04:00
Sam Saffron	7daac542f6	SECURITY: properly validate return URL for SSO Previously carefully crafted URLs could redirect off site	2019-03-25 09:03:47 +11:00
Roman Rizzi	1234acd2dd	Version bump	2019-03-13 16:47:46 -03:00
Neil Lalonde	a7d3d8ffa1	Version bump	2019-03-11 14:22:48 -04:00
Neil Lalonde	a5df8c8dcf	Version bump	2019-03-01 12:22:42 -05:00
Sam	e81266e795	SECURITY: bypass long GET requests In some rare cases we would check URLs with very large payloads this ensures we always bypass and do not read entire payloads	2019-02-27 21:52:20 +11:00
David Taylor	11af9ccfa5	REFACTOR: Proxy letter avatars in rails instead of nginx Co-authored-by: Sam Saffron <sam.saffron@gmail.com> Co-authored-by: David Taylor <david@taylorhq.com> This gives more control over the request. In particular we can easily lookup DNS dynamically, instead of only upon NGINX startup. Previously, NGINX was looking up IP for the letter avatar service and caching the CDN IP address, this caused issues if CDN changed IP, in which letter avatars would be broken till a container restarted. NGINX config has been updated to add caching. This change will require a container rebuild. The proxy will now function in development environments, so the patch for `letter_avatar_proxy` has been removed.	2019-02-18 08:52:20 +11:00
Sam	625ceaad31	FIX: unable to create new categories Previous attempt at `70adb940` missed the critical "everyone" group from staff, leading to a case where staff was no longer able to create categories	2019-02-15 10:27:41 +11:00
Bianca Nenciu	3d5991ff8f	DEV: Improve test.	2019-02-14 23:05:06 +02:00
Bianca Nenciu	f808157670	FIX: Fix failing test.	2019-02-14 23:05:04 +02:00
Bianca Nenciu	2f196614fc	SECURITY: Do not leak private group names. (#7008 )	2019-02-14 23:05:02 +02:00
Vinoth Kannan	d8266319f4	FIX: Bump onebox version to include imgur security fix (cherry picked from commit `36ff971c9c`)	2019-02-13 11:56:23 +05:30
Vinoth Kannan	ee74122ce1	FIX: Bump onebox version to include imgur security fix (cherry picked from commit `fb911766ee`)	2019-02-13 11:55:34 +05:30
Neil Lalonde	b1f5aa4058	Version bump	2019-02-07 11:07:28 -05:00
David Taylor	70e345518c	SECURITY: Escape HTML in dashboard report tables	2019-02-01 13:11:52 +00:00
Neil Lalonde	7a079b286c	Merge diffs from master	2019-01-31 17:52:14 -05:00
Neil Lalonde	448e960121	Version bump	2019-01-31 17:50:24 -05:00
Neil Lalonde	0a32b86f23	Version bump	2019-01-28 11:15:39 -05:00
Neil Lalonde	21f8511396	Version bump	2019-01-21 15:01:27 -05:00
Joffrey JAFFEUX	9f7e64eead	SECURITY: fix possible XSS with badges (#6912 )	2019-01-21 13:11:53 +01:00
Neil Lalonde	7f50fc4f70	Version bump	2019-01-14 17:03:48 -05:00
Sam	299f8ecdac	SECURITY: escape title HTML for inline onebox	2019-01-10 12:04:58 +11:00
Neil Lalonde	5771b29d19	Version bump	2019-01-02 15:33:06 -05:00
Guo Xiang Tan	fca2117d2b	SECURITY: Users can pick non-avatar uploads. https://meta.discourse.org/t/bug-report-idor-on-avatar-pick-function-discussions-udacity-com/103564	2018-12-18 13:56:27 +08:00
Neil Lalonde	eccad71d6c	Version bump	2018-12-14 12:22:27 -05:00
Sam	4ceb77115e	DEV: anonymizing should not delete uploads We have another job for upload deletion cause uploads may be shared	2018-12-13 16:42:52 +11:00
Sam	e2c2321634	SECURITY: do not delete avatars uploads when deleting accounts We rely on the clean up uploads job to do this safely	2018-12-13 16:33:00 +11:00
Sam	a1332a906b	FIX: remove slow platform detection from server side Historically due to https://meta.discourse.org/t/why-is-discourse-so-slow-on-android/8823 we decreased page sizes of both home page and topic page on android by half. This was done on the server side and as a side effect and caused page sizes on android to mismatch between Android and non Android. Unfortunately about a year ago googlebot started pretending it is Android, this cause Google to start indexing pages as what android would see. So it saw double the amount of pages in the index as what exists on desktop. This in turn caused double the amount of indexing work and a large amount of broken links on long topics. This fix removes all special behavior which is no longer needed due to other performance work in Discourse including raw handlebars on home page and virtual dom on topic pages. I tested we do not need this on Blu Advance 5.0 it has 1.3 GHZ mediatec mt6580 This phone retails for around $50 USD. If we decide long term that we want any hacks like this we will shift them to the client side. It can just hold data in memory without rendering.	2018-12-13 16:15:16 +11:00
David Taylor	7d9b672877	FIX: Do not serialize user fields unless they are specified for display (#6736 )	2018-12-07 11:00:47 +00:00
Guo Xiang Tan	ff5f991980	SECURITY: Require groups to be given when inviting to a restricted category. (#6715 )	2018-12-06 15:05:34 +01:00
Guo Xiang Tan	e6ad3ef0ff	DEV: Don't publish post messages to non-human users.	2018-12-06 15:04:40 +01:00
Régis Hanol	91610578a8	FIX: properly secure poll message bus Co-authored-by: Sam <sam.saffron@gmail.com>	2018-12-06 15:04:31 +01:00
Vinoth Kannan	704da6e9e9	FIX: incoming email matches the wrong user if null bounce key available in db	2018-11-30 13:45:29 +05:30
Neil Lalonde	1ac67cb1b3	Version bump	2018-11-29 11:18:21 -05:00
Sam	bc4cb4f871	SECURITY: enforce hostname to match discourse hostname This ensures that the hostname rails uses for various helpers always matches the Discourse hostname	2018-11-15 16:12:28 +11:00
Sam	bbf7bb176c	SECURITY: update rack from 2.0.5 to 2.0.6 This release contains security fixes to the underlying rack library used by Discourse. Impact is not too high as we do not use request.scheme in our templates	2018-11-07 10:06:05 +11:00
David Taylor	a4c03a6496	Version bump	2018-11-05 11:18:34 +00:00
Joffrey JAFFEUX	ee3cf05acc	UX: bumps the user-api-key version to 3 (#6526 ) * UX: bumps the user-api-key version to 3 * fix spec	2018-11-02 11:04:23 +01:00
Joffrey JAFFEUX	cdb4c1651b	FEATURE: adds latest to user-api-key session scope	2018-11-02 11:04:10 +01:00
Joffrey JAFFEUX	311f29d9d6	FEATURE: adds list#(unread\|new) to user api key routes (#6494 )	2018-11-02 11:04:01 +01:00
Kyle Zhao	eb54bf9e5b	SECURITY: update loofah for CVE-2018-16468	2018-10-30 11:36:21 -04:00
Neil Lalonde	df61b9309d	Version bump	2018-10-12 10:56:02 -04:00
Guo Xiang Tan	b1b9faeae6	Fix `UploadRecovery` from S3 fails with bucket name containing sub-folder.	2018-10-01 20:22:54 +08:00
Guo Xiang Tan	158662519d	Fix onceoff job in `cfa7173da3` not running.	2018-10-01 18:36:39 +08:00
Guo Xiang Tan	81c21681ce	FIX: Onceoff job to fix missing user profile backgrounds.	2018-10-01 18:31:56 +08:00
Sam	fd8bf5d2cb	FIX: correct readonly timeout So it only applies in readonly mode	2018-09-20 15:18:35 +10:00
Sam	ad74eea50d	FIX: in redis readonly raise an exception from DistributedMutex If we detect redis is in readonly we can not correctly get a mutex raise an exception to notify caller When getting optimized images avoid the distributed mutex unless for some reason it is the first call and we need to generate a thumb In redis readonly no thumbnails will be generated	2018-09-19 15:51:17 +10:00
Sam	0ec92f95d4	SECURITY: correct XSS on long topic titles	2018-09-18 08:55:43 +10:00
Sam	98ff2fd8ab	SECURITY: remove admin memory diagnostics routes	2018-09-18 08:35:54 +10:00
Guo Xiang Tan	8a22e60438	Backward compatibility for dropping functions in `ColumnDropper`. https://meta.discourse.org/t/launcher-rebuild-error-pg-error-schema-discourse-functions-does-not-exist/96209	2018-09-17 14:52:54 +08:00
Neil Lalonde	0b282fb812	Version bump	2018-09-14 11:43:45 -04:00
Guo Xiang Tan	8a171389e1	FIX: Onceoff job to recover missing post uploads. This fixes the regression due to `1f636c445b`	2018-09-14 11:13:21 +08:00
Guo Xiang Tan	cb3be41ead	DEV: Avoid using `send` and make the method public instead.	2018-09-14 11:12:56 +08:00
Guo Xiang Tan	8c417d949e	Accept custom AR relation for `UploadRecovery`.	2018-09-14 11:12:46 +08:00
Guo Xiang Tan	f1f0a6b358	FIX: Do not try to recover invalid `Upload#short_url` in `UploadRecovery`.	2018-09-14 11:12:39 +08:00
Guo Xiang Tan	eb5f34b779	Fix the build.	2018-09-14 11:12:30 +08:00
Guo Xiang Tan	33e09ca6d6	Add basic test case for `UploadRecovery`.	2018-09-14 11:12:19 +08:00
Guo Xiang Tan	7784bbe702	Rescue errors when running dry run for `UploadRecovery`.	2018-09-14 11:12:09 +08:00
Guo Xiang Tan	be9e64eabf	Fix s3 recovery from tombstone in `UploadRecovery`.	2018-09-14 11:12:00 +08:00
Guo Xiang Tan	0793253b0b	Add dry run option to `UploadRecovery`.	2018-09-14 11:11:55 +08:00
Guo Xiang Tan	07a53907a7	Fix incorrect variable.	2018-09-14 11:11:41 +08:00
Guo Xiang Tan	29e9329eb3	New rake task `uploads:recover`.	2018-09-14 11:11:35 +08:00
Guo Xiang Tan	ec0dccf438	DEV: Print the error class in `uploads:list_posts_with_broken_images`.	2018-09-14 11:11:28 +08:00
Guo Xiang Tan	45146818d7	Add extra protection in `Upload#get_from_url`. In case the extension goes missing from the URL.	2018-09-14 11:11:22 +08:00
Joffrey JAFFEUX	5ab9a9d898	FIX: ensures we have a color for reports (#6396 )	2018-09-13 18:53:30 +02:00
Arpit Jalan	a43ddace3e	FIX: ignore and log bad json values for custom fields	2018-09-13 17:41:10 +05:30
Guo Xiang Tan	8069b664b0	FIX: Uploads not being linked correctly to posts. Regression due to `1f636c445b`.	2018-09-12 00:01:31 -07:00
Neil Lalonde	187505d0ba	Version bump	2018-09-10 19:43:35 -04:00
Sam	580caa9ef1	SECURITY: correct edge case when SSO provides unvalidated emails	2018-09-11 08:24:48 +10:00
Neil Lalonde	f75dc4ca65	Version bump	2018-08-30 10:53:41 -04:00
David Taylor	e91b3ec707	SECURITY: Prevent users from modifying custom fields	2018-08-30 13:00:11 +01:00
Neil Lalonde	d8f0379931	Version bump	2018-08-21 11:55:00 -04:00
Neil Lalonde	e8b880deae	SECURITY: prevent use of X-Forwarded-Host to perform XSS	2018-08-13 17:09:20 -04:00
Neil Lalonde	4372f468ee	Version bump	2018-08-07 12:33:08 -04:00
Neil Lalonde	6aecebf294	Version bump	2018-07-26 14:16:20 -04:00
David Taylor	e2e2d57f37	FIX: Remove return statement from inside block	2018-07-26 15:59:36 +01:00
Régis Hanol	c2d596b223	SECURITY: force IM decoder based on file extension - part 3	2018-07-25 23:55:34 +02:00
Régis Hanol	b02e29829e	SECURITY: force IM decoder based on file extension - part 2	2018-07-25 23:08:25 +02:00
Régis Hanol	a39aa9c61d	SECURITY: force IM decoder based on file extension	2018-07-25 22:00:53 +02:00
David Taylor	7926a1f7bb	FIX: Remove `plugin.enabled?` checks at initialization time (#6166 ) Checking `plugin.enabled?` while initializing plugins causes issues in two ways: - An application restart is required for changes to take effect. A load-balanced multi-server environment could behave very weirdly if containers restart at different times. - In a multisite environment, it takes the `enabled?` setting from the default site. Changes on that site affect all other sites in the cluster. Instead, `plugin.enabled?` should be checked at runtime, in the context of a request. This commit removes `plugin.enabled?` from many `instance.rb` methods. I have added a working `plugin.enabled?` implementation for methods that actually affect security/functionality: - `post_custom_fields_whitelist` - `whitelist_staff_user_custom_field` - `add_permitted_post_create_param`	2018-07-25 16:45:24 +01:00
Robin Ward	66a96b1ed2	SECURITY: Consider `0.0.0.0` a private IP	2018-07-24 11:16:57 -04:00
Vinoth Kannan	a286be473a	FIX: returns provider_not_enabled error even if enabled	2018-07-16 11:06:48 +01:00
Sam	6fc8c494a3	SECURITY: extra CORS headers should be set on correct host	2018-07-11 09:30:02 +10:00
David Taylor	d0130e4ab9	SECURITY: Do not allow authentication with disabled plugin-supplied a… (#6071 ) Do not allow authentication with disabled plugin-supplied auth providers	2018-07-09 14:27:04 +10:00
Sam	284e65f7d3	SECURITY: category badges should HTML escape names	2018-06-28 18:15:47 +10:00
Joffrey JAFFEUX	96cb283170	SECURITY: prevents XSS when showing tooltip	2018-06-27 14:46:57 +02:00
Dax74	3d5b8c16b7	Link updated There was a link to a deleted guide, see https://meta.discourse.org/t/wrong-link-on-manual-admin-creation/90849	2018-06-27 11:33:09 +02:00
Neil Lalonde	f5ee848ab0	Version bump	2018-06-21 10:42:01 -04:00
Sam	8d6fbe1769	SECURITY: update sprockets for CVE-2018-3760	2018-06-20 09:50:54 +10:00
Guo Xiang Tan	1e044c6c75	Monkey patch in `7830a950ef`	2018-06-19 10:37:32 +08:00
Neil Lalonde	a2ebae2d5b	Version bump	2018-05-31 18:29:51 -04:00
Sam	7e055e01c5	drop ruby 2.3 testing	2018-05-21 14:26:05 +10:00
Sam	d72e4ee84e	SECURITY: remove alert dialog from local dates	2018-05-21 12:29:06 +10:00
Sam	8ef654d71f	Merge branch 'master' into beta	2018-05-17 12:09:55 +10:00
Neil Lalonde	f1ea9cbd91	Version bump	2018-05-04 15:32:31 -04:00
Neil Lalonde	6fb8361be8	Version bump	2018-05-03 16:57:26 -04:00
Sam	5ec054623e	clean up drag on iOS handling, we need it bound earlier	2018-04-30 15:57:23 +02:00
Sam	9dc47dbd33	improve prev hack	2018-04-30 15:57:16 +02:00
Sam	9506f7448f	FIX: dragging of timeline was flaky on iOS	2018-04-30 15:57:09 +02:00
Neil Lalonde	7e69341dcd	Version bump	2018-04-24 11:17:30 -04:00
Neil Lalonde	710af4b28c	Version bump	2018-04-13 10:47:10 -04:00
Neil Lalonde	6bc76a9573	Version bump	2018-03-26 11:23:15 -04:00
Vinoth Kannan	1448f8b8e7	SECURITY: Oneboxer should escape the URL before processing (cherry picked from commit `58bb3967e5`)	2018-03-15 20:04:50 +05:30
Neil Lalonde	edfd3967ab	Version bump	2018-03-07 15:18:39 -05:00
Sam	4d9d864df7	SECURITY: ensure users have permission when moving categories	2018-03-02 12:14:18 +11:00
Neil Lalonde	dae9d369ec	Version bump	2018-02-15 17:48:49 -05:00
Sam	9dd4a59226	SECURITY: correct local onebox category checks Also removes ugly "source_topic_id" from cooked posts Patch was authored by @zogstrip Signed-off-by: Sam <sam.saffron@gmail.com>	2018-02-14 10:41:07 +11:00
Robin Ward	1687d3657f	SECURITY: Prevent robots from indexing more routes These routes could contain sensitive material and should never be indexed for content.	2018-02-04 13:27:07 -05:00
Neil Lalonde	557dde29c7	Version bump	2018-01-31 12:18:54 -05:00
Gerhard Schlager	7129e6e4cb	SECURITY: email domain whitelist could be bypassed	2018-01-17 21:47:50 +01:00
Neil Lalonde	387bdadbe2	Version bump	2018-01-03 16:55:22 -05:00
Neil Lalonde	63d48a0ed9	Version bump	2017-12-20 18:50:51 -05:00
Guo Xiang Tan	636b31bc3c	SECURITY: Don't pass email backup token to sidekiq as a parameter. * This exposes the token in the Sidekiq dashboard which can be viewed by an admin and defeats the purpose of using a token in the download backup email ink.	2017-12-18 11:33:24 +08:00
Guo Xiang Tan	3f21f63a42	SECURITY: Any group can be invited into a PM.	2017-12-14 15:02:01 +08:00
Sam	2baa4c9b13	SECURITY: prevent staged accounts from changing email # Conflicts: # app/controllers/users_controller.rb # spec/controllers/users_controller_spec.rb	2017-12-14 17:21:55 +11:00
Neil Lalonde	04f361eb72	Version bump	2017-12-12 11:38:26 -05:00
Neil Lalonde	0c40e2dddf	Version bump	2017-11-30 16:33:01 -05:00
Neil Lalonde	8f77b478e4	Version bump	2017-10-30 11:21:04 -04:00
Neil Lalonde	922e84826b	SECURITY: signup without verified email using Google auth	2017-10-16 14:51:06 -04:00
Neil Lalonde	744e0613f0	Version bump	2017-10-13 11:30:34 -04:00
Arpit Jalan	39279cf66c	SECURITY: verify that inviter can invite new user to a topic	2017-10-09 16:38:07 +05:30
Guo Xiang Tan	24a0507d64	SECURITY: Fix XSS on unsubscribed page.	2017-10-09 11:23:01 +08:00
Neil Lalonde	5f0249f4ec	Version bump	2017-10-06 11:29:02 -04:00
Robin Ward	1069924c1f	FIX: Remove unused mixin	2017-09-29 11:24:51 -04:00
Robin Ward	b83bc6c2e9	Revert "A safe way to create class variables in a multisite environment." The approach taken by this interface was flawed. We need a better solution.	2017-09-29 11:24:27 -04:00
Régis Hanol	9a23cf8921	FIX: wasn't able to save watched/tracked/muted categories/tags	2017-09-29 13:27:01 +02:00
Neil Lalonde	f1a068367a	Version bump	2017-09-28 15:27:56 -04:00
Guo Xiang Tan	bad3d4e29d	SECURITY: Update Nokogiri.	2017-09-25 21:04:53 +08:00
Régis Hanol	0a7d18b525	Version bump	2017-09-16 00:55:52 +02:00
Neil Lalonde	b2660b7d12	Version bump	2017-09-14 11:09:30 -04:00
Robin Ward	1ce4a4dab8	FIX: Users should be able to activate their emails even if unapproved Note in discourse `active` means "Email is active" - they still can't login until approved	2017-09-12 15:16:43 -04:00
Robin Ward	ee59a2b5c8	SECURITY: Prevent users from updating to blacklisted email domains	2017-09-12 10:13:20 -04:00
David Taylor	edb53404a2	SECURITY: Only publish PM reply messagebus notifications to allowed users	2017-09-08 17:32:52 -04:00
Robin Ward	1e5d451cb1	Merge branch 'master' into beta	2017-08-31 14:54:57 -04:00
Neil Lalonde	b124ada186	Version bump	2017-08-17 15:59:39 -04:00
Neil Lalonde	e81aa395c4	Version bump	2017-08-16 12:49:36 -04:00
David Taylor	76edd571bd	SECURITY: Do not show latest/top topics on 404 for login_required sites	2017-08-13 23:44:33 +05:30
Neil Lalonde	2b216c6cef	Version bump	2017-08-01 14:32:48 -04:00
Guo Xiang Tan	cf05ad54a9	FIX: Exclude `www` in topic map links. https://meta.discourse.org/t/topic-popular-links-panel-domain-extraction-doesnt-handle-country-tlds/60156/38?u=tgxworld	2017-07-26 10:00:39 +09:00
Guo Xiang Tan	0bf928ad84	Revert "UX: Don't try to figure out root domain." This reverts commit `7690cc6ca5`.	2017-07-26 10:00:39 +09:00
Robin Ward	0df14fa2b5	FIX: Allow discourse app to link directly to wizard	2017-07-10 14:35:35 -04:00
Neil Lalonde	6e80ace6de	Version bump	2017-07-10 11:45:58 -04:00
Robin Ward	df508e8027	SECURITY: Remove disposable invite feature	2017-07-07 20:46:43 -04:00
Neil Lalonde	3989a0d9f9	Version bump	2017-07-05 12:24:00 -04:00
Arpit Jalan	1ec4a9539e	FIX: include canonical meta tag on category pages	2017-07-03 14:43:02 +05:30
Robin Ward	9798e1e588	FIX: Topic Entrance wasn't showing up on some suggested topics	2017-06-29 12:54:21 -04:00
Régis Hanol	8a755831bf	FIX: image orientation wasn't properly working	2017-06-23 10:19:21 +02:00
Robin Ward	40cda06e3e	FIX: Always allow the host the forum is hosted on	2017-06-13 10:45:09 -04:00
Neil Lalonde	a7c4969c79	Version bump	2017-06-12 12:48:54 -04:00
Guo Xiang Tan	11dee669b1	FIX: Bot mentioned check should be case insensitive.	2017-06-08 19:05:38 +09:00
Guo Xiang Tan	7fda914d1a	Move the constant as well.	2017-06-06 15:40:00 +09:00
Guo Xiang Tan	c7efbcfb80	FIX: Ensure that we cancel any timeout jobs when terminating a track.	2017-06-05 16:28:46 +09:00
Guo Xiang Tan	85aa569eea	FIX: Bot should only respond to regular posts.	2017-06-05 15:27:26 +09:00
Régis Hanol	2fe8d9ca00	FIX: PNG-to-JPEG conversion should only be done to images with at least 1 megapixels	2017-06-03 21:52:01 +02:00
Régis Hanol	56b91a0175	FIX: automatic PNG-to-JPEG conversion should use a default white background	2017-06-03 21:51:56 +02:00
Guo Xiang Tan	c047611421	Revert "Skip validations when Discobot creates new posts." This reverts commit `ca7e906774`. Post validations are already skipped for admin users. Skipping validations cause polls to not work.	2017-06-03 07:21:24 +09:00
Robin Ward	8b989b71cc	FIX: Don't run in testing mode	2017-06-02 13:07:50 -04:00
Robin Ward	0eaa6defa0	SECURITY: Vunerability in mail gem (see https://github.com/mikel/mail/pull/1097)	2017-06-01 14:52:24 -04:00
Guo Xiang Tan	d5c4215f82	Revert "Load posts in batches while indexing problem posts." This reverts commit `ce57ff9fcf`. Limit is ignored with `find_each`.	2017-06-01 11:35:21 +09:00
Neil Lalonde	7ae8733e93	Version bump	2017-05-31 16:42:19 -04:00
Neil Lalonde	be8723ab9c	Version bump	2017-05-22 13:50:00 -04:00
Robin Ward	518bd00135	SECURITY: Validate the `entity` when downloading a CSV	2017-05-19 16:01:13 -04:00
Neil Lalonde	f823aaadef	Version bump	2017-05-15 11:48:08 -04:00
Guo Xiang Tan	a32b7bd37a	Disable failing JS tests first.	2017-05-05 10:08:13 +08:00
Robin Ward	a117ae25a8	FIX: Regression when clicking on post date	2017-05-04 13:51:15 -04:00
Guo Xiang Tan	63ae563b5a	FIX: Show share popup only for valid buttons.	2017-05-04 11:20:16 -04:00
Guo Xiang Tan	80c93e23ac	SECURITY: XSS issue in share popup if invalid link is passed in.	2017-05-04 11:07:36 -04:00
Neil Lalonde	8b8dee956c	Version bump	2017-04-27 14:06:11 -04:00
Neil Lalonde	6bb2dd0584	Version bump	2017-04-10 14:32:26 -04:00
Sam Saffron	a3fbb64a0e	SECURITY: prefer render plain/html to render text where possible	2017-04-10 08:03:32 -04:00
Sam Saffron	1b5d7c1659	SECURITY: do not send push notifications to suspended users	2017-04-05 08:29:23 -04:00
Neil Lalonde	1a7b576ec6	Version bump	2017-03-28 11:34:23 -04:00
Robin Ward	1d78baee0d	Update facebook login gem	2017-03-27 17:23:02 -04:00
Guo Xiang Tan	709805ae02	SECURITY: CSRF vulnerabilities in `Admin::BackupsController`.	2017-03-23 10:52:40 +08:00
Neil Lalonde	919f33f377	Version bump	2017-03-20 12:07:13 -04:00
Guo Xiang Tan	21c4c1d9d4	SECURITY: Disallow symlinks when restoring uploads.	2017-03-17 14:30:29 +08:00
Robin Ward	5cbad06de4	SECURITY: Don't use backticks for exporting your archive	2017-03-16 16:27:30 -04:00
Sam	a9207d87b9	SECURITY: always allow staff to resend activation mails	2017-03-13 10:33:03 -04:00
Guo Xiang Tan	cb731dbecd	FIX: Store user's id instead for sending activation email. * Email and username are both allowed to be used for logging in. Therefore, it is easier to just store the user's id rather than to store the username and email in the session.	2017-03-13 20:59:14 +08:00
Guo Xiang Tan	a91d0f39bc	SECURITY: Only allow users to resend activation email with a valid session. * Improve error when an active user tries to request for an activation email.	2017-03-13 20:59:08 +08:00
Neil Lalonde	7d40cd92f8	Version bump	2017-03-08 12:23:21 -05:00
Robin Ward	0a35966465	Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email." This reverts commit `1060239e2d`.	2017-02-27 13:36:51 -05:00
Guo Xiang Tan	ee0c293c26	FIX: Mobile topic timeline broken on Chrome 56. * See https://developers.google.com/web/updates/2017/01/scrolling-intervention. From Chrome 56 onwards, `touchstart` event listeners are treated as passive by default which does not call `preventDefault` resulting in the page scrolling when topic timeline handle is being dragged.	2017-02-27 13:23:41 +08:00
Guo Xiang Tan	a87f9e627b	SECURITY: Ensure oAuth authenticated email is the same as created user's email.	2017-02-24 15:44:17 +08:00
Guo Xiang Tan	52022fe58d	Revert "SECURITY: Ensure that user has been authenticated." This reverts commit `86b0f589c9`.	2017-02-24 15:44:10 +08:00
Guo Xiang Tan	86b0f589c9	SECURITY: Ensure that user has been authenticated.	2017-02-24 11:46:03 +08:00
Sam	1893b76977	SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials	2017-02-17 11:04:04 -05:00
Neil Lalonde	2f536423de	Version bump	2017-02-14 17:39:20 -05:00
Neil Lalonde	546d21116f	Version bump to v1.8.0.beta6	2017-02-14 17:39:11 -05:00
Neil Lalonde	4f00241488	Version bump	2017-02-13 16:46:20 -05:00
Sam	1e7589f758	new: server plugin outlet for indexable robots.txt	2017-02-13 14:06:14 -05:00
Sam	98811332d8	SECURITY: correctly validate input when admin searches for screened ips	2017-02-06 16:11:35 -05:00
Sam	d28bf7bddd	UX: less restrictive selector to allow for plugin outlets Currently plugin outlets in LIs will generate a wrapping SPAN, this makes an allowence in core for nave extenstions (like solved does)	2017-02-02 12:18:37 -05:00
Neil Lalonde	9fa29ca898	Version bump	2017-01-26 17:38:26 -05:00
Neil Lalonde	29df37d430	Version bump	2017-01-26 13:41:05 -05:00
Robin Ward	738ee9620e	SECURITY: Prevent large onebox downloads, better timeout support	2017-01-25 14:58:11 -05:00
Guo Xiang Tan	f67f425b79	Fix broken emojis.	2017-01-24 16:19:34 +08:00
Régis Hanol	e14412a676	FIX: log backups download/destroy staff action FIX: clean up junk left by the specs RENAME: 'backup_operation' to 'backup_create' to match other backup log types	2017-01-16 19:57:42 +01:00
Robin Ward	a150616b79	Version bump to v1.8.0.beta2	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	0c2b7f242f	Remove lines that are no longer valid.	2017-01-13 11:43:24 -05:00
Matt Palmer	3591fe8aef	FEATURE: Better error message when incoming e-mail is missing a Date: header	2017-01-13 11:43:24 -05:00
Arpit Jalan	4fa3fa2a79	Update Translations	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	b2b3f3b95d	UX: Truncate topic link title/URL on desktop to prevent overflow.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	f919b59c8b	Fix syntax error.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	070296f9d1	Oops.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	6821353360	Make mention bot assign reviewers for collaborators as well.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	186ca3d106	FEATURE: Log admin action when readonly mode is changed.	2017-01-13 11:43:24 -05:00
Jeff Atwood	c5d91cb5d5	FIX: add noopener to website field in user profile	2017-01-13 11:43:24 -05:00
Régis Hanol	e0c009557d	FEATURE: new 'max_image_megapixels' site setting	2017-01-13 11:43:24 -05:00
Régis Hanol	b3f8402849	bump onebox	2017-01-13 11:43:24 -05:00
Jay Pfaffman	f746e39fbe	use .presence rather than DIY checking	2017-01-13 11:43:24 -05:00
Jay Pfaffman	62110bddd8	bbpress: Use nicename if display_name is missing	2017-01-13 11:43:24 -05:00
Neil Lalonde	a371f223c2	more specs for staff action logging	2017-01-13 11:43:24 -05:00
Robin Ward	392c769b37	Let's not notify for trust levels on Staff, either	2017-01-13 11:43:24 -05:00
Arpit Jalan	b9ec4f6efb	FIX: only allow CSV file to be uploaded for bulk invite	2017-01-13 11:43:24 -05:00
Régis Hanol	a3c6209cca	remove 'already initialized constant' warning	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	94b0bc4228	Use `any` orientation for web app manifest.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	c515b505f1	FIX: Perform emoji unescape for topic titles in quotes.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	71f583c9eb	Use a different Redis key when PG failover sets site to readonly mode.	2017-01-13 11:43:24 -05:00
Jeff Atwood	b5a869eb32	switch from "API Requests" to "Pageviews"	2017-01-13 11:43:24 -05:00
Neil Lalonde	7e49c957ad	Don't display email addresses in staff action logs for revoked email	2017-01-13 11:43:24 -05:00
Neil Lalonde	28762f3446	Don't show email of deleted users in staff action logs	2017-01-13 11:43:24 -05:00
Neil Lalonde	f1afbe4e5f	Staff action logs explain when system is deleting a post because author marked it to be deleted	2017-01-13 11:43:24 -05:00
Neil Lalonde	8236658581	Add more info in staff action logs for blocking a user, and add logging for lock trust level, activate, and deactive user	2017-01-13 11:43:24 -05:00
Jeff Atwood	54db7ea0be	SECURITY: disallow csv as default upload file type	2017-01-13 11:43:24 -05:00
Robin Ward	44189faab2	Don't give notifications to admins for trust level notifications	2017-01-13 11:43:24 -05:00
Jeff Atwood	a0db82bed4	update mobile android screenshot for 1.7	2017-01-13 11:43:24 -05:00
Arpit Jalan	c55d6deef6	use table prefix in bbpress import script	2017-01-13 11:43:24 -05:00
Ola Christensson	21431c9107	Display tabs with smaller widths for code blocks The default browser behavior is a tab width of 8 characters. This changes the width to 4 characters.	2017-01-13 11:43:24 -05:00
Robin Ward	8da8937e4a	Plugins can register providers for global settings	2017-01-13 11:43:24 -05:00
Régis Hanol	3b08cf6955	handle emails with localized headers 😠	2017-01-13 11:43:24 -05:00
Robin Ward	ec4752909e	Revert "Experimental feature to load gemfiles from plugins" This reverts commit `64652f98ab`.	2017-01-13 11:43:24 -05:00
Robin Ward	5a92aca19d	FIX: Don't allow formatting in titles when quoting other topics	2017-01-13 11:43:24 -05:00
Neil Lalonde	baf5d0f8a3	FIX: an image can be shown twice in summary emails	2017-01-13 11:43:24 -05:00
Robin Ward	394c1cfda0	Experimental feature to load gemfiles from plugins	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	c9ea04ffd2	oops fix specs.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	8983ad20de	FIX: Add validation to disallow censored words in topic title.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	b26e18025e	UX: Display large numbers with delimiters.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	3ffa889aa8	Make eslint happy.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	469eaa23a8	UX: Observe changes to plugin to hide/show plugin admin link without refresh.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	8ae6e49ad2	FIX: Login modal on mobile does not submit on enter.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	0485ea918b	Revert "Run Travis against 2.4.0 as well." This reverts commit `0000de9501`.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	748d1590c1	FIX: Respect site setting to hide username in mailing list summary.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	e910f7f3fe	Make eslint happy.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	d29f363528	FIX: Can't add categories when creating a new web hook.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	13adf8e4df	Fix typo.	2017-01-13 11:43:24 -05:00
Guo Xiang Tan	7085f0bee6	Run Travis against 2.4.0 as well.	2017-01-13 11:43:24 -05:00
Miroslav Michalicka	2853b6f109	Fix typos	2017-01-13 11:43:24 -05:00
Miroslav Michalicka	b8ef8890ee	Migration script from Drupal 6	2017-01-13 11:43:24 -05:00
Jeff Atwood	8d6bbd7511	add Hacker One page to security.md	2017-01-13 11:43:24 -05:00
Jeff Atwood	e03b7ce445	Update INSTALL-cloud.md	2017-01-13 11:43:24 -05:00
Kurtis Rainbolt-Greene	f15c14775a	Allow for a custom hub server	2017-01-13 11:43:24 -05:00
Jeff Atwood	b59a1136a2	Update INSTALL-cloud.md	2017-01-13 11:43:24 -05:00
Alexey Py	813d8c5857	Update copyright year Update year to 2017	2017-01-13 11:43:24 -05:00
Régis Hanol	16e590563d	FIX: don't onebox to IP addresses	2017-01-12 22:36:25 +01:00
Neil Lalonde	ee17eb98a3	Version bump	2017-01-06 16:11:12 -05:00
Robin Ward	7cb376d6f4	SECURITY: Moderators should not be able to access customizations	2017-01-06 14:43:12 -05:00
Neil Lalonde	5a31a7b3d3	Version bump	2016-12-28 18:15:26 -05:00
Guo Xiang Tan	969276b57f	SECURITY: Users can only bookmark posts which they can see.	2016-12-21 12:16:13 +08:00
Sam	01bbd1f316	SECURITY: prevent reuse of password reset	2016-12-19 18:01:06 +11:00
Sam	f79dbbe4ff	SECURITY: update onebox gem	2016-12-19 13:20:12 +11:00
Sam	bc8fa638c1	SECURITY: protect upload params, only allow very strict filenames	2016-12-19 10:18:03 +11:00
Sam	4ba28a08a3	SECURITY: fix reflected XSS with safe_mode param (only applies to beta and master)	2016-12-19 10:12:34 +11:00
Sam	e23af6eea4	SECURITY: don't grant same privileges to user_api and api access User API is no longer gets bypasses that standard API gets. Only bypasses are CSRF and XHR requirements.	2016-12-16 12:06:19 +11:00
Neil Lalonde	40fc83843b	Version bump	2016-12-14 14:58:19 -05:00
Arpit Jalan	ec974b1235	SECURITY: escape advanced search term	2016-12-08 11:02:10 +01:00
Neil Lalonde	80535b09f1	Version bump	2016-12-07 17:50:59 -05:00
Neil Lalonde	651886be58	Version bump	2016-11-28 16:07:21 -05:00
Robin Ward	b4b8e0dd12	Backport `get-owner` API so plugins can use it safely	2016-11-21 11:15:59 -05:00
Neil Lalonde	ad7dbae939	Version bump	2016-11-02 13:48:12 -04:00
Régis Hanol	e6047f2b65	FIX: uploading custom avatar was always hidden	2016-10-20 23:01:11 +02:00
Neil Lalonde	befac23d6f	Version bump	2016-10-20 10:50:10 -04:00
Guo Xiang Tan	d7b31e291b	Merge pull request #4505 from Dax74/patch-2 Create server.it.yml for details plugin	2016-10-17 10:17:40 +08:00
Dax74	97ddc82356	Create server.it.yml for details plugin Italian translation	2016-10-16 18:24:28 +02:00
Neil Lalonde	ccbfacbfb0	Version bump	2016-09-22 12:52:51 -04:00
cpradio	935a50cb3c	Escape the hyphen	2016-09-19 09:04:14 +08:00
cpradio	35e1ac9db1	FIX: Backup validation wasn't escaping hyphens	2016-09-19 09:04:03 +08:00
Guo Xiang Tan	8160483872	SECURITY: Add filename validation for backup uploads.	2016-09-16 12:52:23 +08:00
Guo Xiang Tan	a174c68f6c	SECUIRTY: Escape input made to system calls.	2016-09-16 12:52:15 +08:00
Neil Lalonde	3ed844da92	Version bump	2016-09-13 12:24:15 -04:00
Neil Lalonde	5ca5b362fe	Version bump	2016-08-25 12:01:21 -04:00
Neil Lalonde	1b2a6c6cb6	Version bump	2016-08-12 11:49:30 -04:00
Robin Ward	62bff49f14	FIX: Travis failure	2016-08-11 13:49:07 +08:00
Guo Xiang Tan	9e139f0278	SECURITY: Escape HTML in filename.	2016-08-11 13:48:50 +08:00
Guo Xiang Tan	d88481ec52	SECURITY: Escape image title in lightbox.	2016-08-11 11:19:19 +08:00
Régis Hanol	b3cc71032e	FIX: wasn't able to update category's settings	2016-08-09 23:58:15 +02:00
Sam	6ac351dc7e	SECURITY: do cookie auth rate limiting earlier	2016-08-09 10:04:24 +10:00
Guo Xiang Tan	c5f0a2db2e	Revert "UX: Centering Badge notification styles on mobile." This reverts commit `fce902ab1e`.	2016-08-08 09:37:42 +08:00
Neil Lalonde	7bffcdee75	Version bump	2016-08-05 15:18:35 -04:00
Robin Ward	20127b40e3	SECURITY: XSS issue on Admin users list	2016-08-05 12:05:49 -04:00
Robin Ward	309c9c3902	SECURITY: Avoid mass assignment on user create	2016-08-05 12:05:44 -04:00
Robin Ward	0fb314023c	FIX: Regression with escaping on badge page	2016-07-28 15:57:57 -04:00
Robin Ward	afd0fcb99c	SECURITY: Make sure uploaded_urls have corresponding upload records	2016-07-28 14:40:22 -04:00
Robin Ward	f496a7d54b	SECURITY: Cross-Site Scripting in Category and Group Settings	2016-07-28 14:40:11 -04:00
Robin Ward	ae6c7c6c5e	SECURITY: SQL Injection in Admin List Active Users	2016-07-28 14:40:04 -04:00
Robin Ward	0c6efc0307	SECURITY: XSS in "Account Suspended" Messages and Badge Descriptions	2016-07-28 14:39:56 -04:00
Sam	6284485970	SECURITY: limit route access when using external avatars	2016-07-28 09:04:07 +10:00
Sam	f14358e751	SECURITY: disable user entered badge SQL by default - Hidden site settings now must be change via rails console	2016-07-28 09:03:46 +10:00
Neil Lalonde	aa6d9e74d3	Version bump	2016-07-26 11:50:04 -04:00
Guo Xiang Tan	f4917dffbf	SECURITY: Possible SQL injection.	2016-07-19 13:02:41 +08:00
Neil Lalonde	94e937141b	Version bump	2016-07-11 11:27:40 -04:00
Régis Hanol	b009ebe2a4	Version bump	2016-06-30 18:05:12 +02:00
Neil Lalonde	b1fb1831df	Version bump	2016-06-21 11:45:55 -04:00
Sam	97acd3f93b	SECURITY: update logster	2016-06-20 12:13:11 +10:00
Sam	a874890ab3	SECURITY: restrict constantize classes in search controller	2016-06-17 13:48:46 +10:00
Robin Ward	01e9777f54	SECURITY: Unapproved, active users should not receive emails	2016-06-16 13:09:22 -04:00
Neil Lalonde	fba419ada0	Version bump	2016-06-10 13:43:42 -04:00
Neil Lalonde	45c8251e48	Version bump	2016-05-27 11:07:20 -04:00
Neil Lalonde	9558393e7b	Version bump	2016-05-26 11:51:58 -04:00
Neil Lalonde	841f177db8	Version bump	2016-05-19 12:26:25 -04:00
Sam	4c8715ed2e	SECURITY: update rack-mini-profiler	2016-05-18 18:33:29 +10:00
Guo Xiang Tan	adf8a5c9a3	FIX: Ensure unique fields in `TopicList.preloaded_custom_fields`.	2016-05-18 13:09:27 +08:00
Régis Hanol	5bd72597d5	SECURITY: 2 XSSs in post gutter and local oneboxes	2016-05-14 00:08:43 +02:00
Robin Ward	4fc1918e0f	FIX: OFFSET wasn't being applied correctly	2016-05-11 14:00:31 -04:00
Neil Lalonde	380891875e	Version bump	2016-05-10 10:52:27 -04:00
Neil Lalonde	8556622e2b	Version bump	2016-05-04 14:31:36 -04:00
Neil Lalonde	2ec92021e1	Version bump	2016-04-20 19:19:37 -04:00
Neil Lalonde	892c90f93c	Version bump to v1.6.0.beta2	2016-04-20 19:19:12 -04:00
Neil Lalonde	d61fcbbb9d	Version bump	2016-03-31 17:55:47 -04:00
Neil Lalonde	1b62a7e2a1	Version bump	2016-03-29 15:13:55 -04:00
Régis Hanol	6de95d9783	SECURITY: only add elided part of email in PM	2016-03-17 23:11:31 +01:00
Neil Lalonde	3ecb456db2	Version bump	2016-03-17 13:16:57 -04:00
Neil Lalonde	d330f9b62f	Version bump	2016-03-17 12:19:53 -04:00
Arpit Jalan	0955d2ab6c	SECURITY: strip HTML tags in topic title in email digest	2016-03-08 21:26:42 +05:30
Neil Lalonde	cf676ea6b2	Version bump	2016-03-07 10:37:18 -05:00
Neil Lalonde	db9bc24742	Version bump	2016-02-22 11:30:25 -05:00
Robin Ward	35d6e64c3a	Backport PluginAPI to beta branch	2016-02-17 12:17:33 -05:00
Régis Hanol	2ff275e4f4	fix eslint	2016-02-05 16:11:02 +01:00
Régis Hanol	9a80510376	we still need md5	2016-02-05 16:01:51 +01:00
Sam Saffron	2164c082d4	SECURITY: hoist blocks using guids, not md5 hashes	2016-02-05 16:01:44 +01:00
Neil Lalonde	f13af3c13f	Version bump	2016-02-04 13:44:50 -05:00
Sam Saffron	f1c7009166	SECURITY: topic titles can show up in user page unescaped when streamed in	2016-02-01 20:55:02 +11:00
Régis Hanol	7e25c9f213	SECURITY: fix XSS in lazyYT plugin	2016-01-30 12:40:24 +01:00
Sam Saffron	35f153c46b	SECURITY: user summary could show topic links you have no permissions to	2016-01-28 11:13:29 +11:00
Neil Lalonde	f42d1c8f63	Version bump	2016-01-25 13:41:18 -05:00
Robin Ward	56b3e88786	FIX: Rebake all HTML due to handlebars upgrade	2016-01-18 12:48:05 -05:00
Robin Ward	f72f5d9315	FIX: Precompiler should apply `get` magic too	2016-01-15 15:15:10 -05:00
Robin Ward	1d771d3d56	SECURITY: Upgrade Ember to fix CVE-2015-7565. Also upgrade Handlebars	2016-01-15 15:15:02 -05:00
Robin Ward	ddc5e52f7c	Revert "SECURITY: Upgrade Ember to fix CVE-2015-7565" This reverts commit `211521df4f`.	2016-01-15 11:39:45 -05:00
Robin Ward	2e369a143c	SECURITY: Upgrade Ember to fix CVE-2015-7565	2016-01-15 11:31:32 -05:00
Neil Lalonde	b174ad7a52	Version bump	2016-01-08 15:57:13 -05:00
Régis Hanol	477ad15038	SECURITY: ensure we never accept fake images	2015-12-21 16:12:18 +01:00
Neil Lalonde	0a4ae61b2c	Version bump	2015-12-18 11:09:25 -05:00
Neil Lalonde	5d87b917d8	Version bump	2015-11-25 17:19:49 -05:00
Robin Ward	d05b7c6329	SECURITY: Backported XSS fixes from Handlebars	2015-11-24 16:16:26 -05:00
Robin Ward	717e72150b	SECURITY: XSS Protection on Queued Posts	2015-11-20 14:27:52 -05:00
Robin Ward	e37abbd397	FIX: Missing fallback logic	2015-11-19 12:39:59 -05:00
Neil Lalonde	50da33eee1	Version bump	2015-11-17 11:40:04 -05:00
Neil Lalonde	714ea51990	Version bump	2015-11-04 13:26:53 -05:00
Neil Lalonde	548c18dd51	Version bump	2015-10-19 17:34:56 -04:00
Robin Ward	1db036d465	SECURITY: Unread post notifications should respect whispers	2015-10-19 16:32:37 -04:00
Robin Ward	35a3df35ea	SECURITY: Moderators should not see API keys	2015-10-14 15:46:33 -04:00
Sam	42b9823bc2	SECURITY: XSS in search results term Thanks to Jerbi Nessim	2015-10-07 10:53:22 +11:00
Régis Hanol	8ba7fdce90	Merge pull request #3832 from Martyn96/patch-1 Fix typo in restore & rollback confirm dialog	2015-10-05 15:46:31 +11:00
Martijn Rondeel	cf4a452dd8	Fix typo in restore & rollback confirm dialog	2015-10-03 21:02:19 +02:00
Neil Lalonde	a33dc7403f	Version bump	2015-10-02 11:11:33 -04:00
Sam	2366fe4bab	FIX: don't use Safari hack on Windows Phone	2015-09-28 17:21:20 +10:00
Robin Ward	37dd456a56	FIX: `max_topics_per_day` was not working	2015-09-25 12:42:29 -04:00
Robin Ward	764b90d535	FIX: Allow mods/admins to search whispers	2015-09-25 12:41:52 -04:00
Robin Ward	6092313eba	FIX: Replies to whispers must be whispers	2015-09-25 12:41:52 -04:00
Régis Hanol	d57c84ec00	FIX: replaceMarkdown should be smart about current caret position	2015-09-25 12:41:52 -04:00
Sam	0323ef9943	FIX: disable cloaked view while running ios positioning hack	2015-09-25 12:41:52 -04:00
Sam	dc95cd75b1	FIX: whispers should not be revealed in reply to, or reply expansion FEATURE: mark whisper as experimental FIX: badges should never apply to whispers	2015-09-25 12:41:52 -04:00
Jeff Atwood	d89b792375	tweaks to readme	2015-09-25 12:41:51 -04:00
Jeff Atwood	af6769b792	update readme images for 1.4	2015-09-25 12:41:51 -04:00
Jeff Atwood	63f4dce499	minor install guide tweaks	2015-09-25 12:41:51 -04:00
Jeff Atwood	ef9761e032	minor install guide tweaks	2015-09-25 12:41:51 -04:00
Sam	a777d81d6b	FIX: when replying to a expanded reply, correctly attribute author	2015-09-25 12:41:51 -04:00
Jeff Atwood	0baebd1659	FIX: 1.4 welcome PM images needed update	2015-09-25 12:41:51 -04:00
Robin Ward	fca0bad4e1	FIX: Category Logo preview should not repeat	2015-09-25 12:41:51 -04:00
Régis Hanol	f378a6c18f	FIX: only disable the composer grip when the device is touch-only	2015-09-25 12:41:51 -04:00
Régis Hanol	5c07ae7607	FIX: pikaday wasn't working when using the mouse with a touch-enabled monitor	2015-09-25 12:41:51 -04:00
Jeff Atwood	881df0e14f	emphasize reading the admin quick start guide	2015-09-25 12:41:51 -04:00
Jeff Atwood	ff0fe6eb3a	simplify install guide a tiny bit	2015-09-25 12:41:50 -04:00
Jeff Atwood	26afa00520	update install guide for Discourse 1.4	2015-09-25 12:41:50 -04:00
Sam	1bfa6f6c9d	Revert "FIX: properly filter badges when they're on a whisper" This reverts commit `e1437e6670`.	2015-09-25 10:21:34 +10:00
Régis Hanol	e1437e6670	FIX: properly filter badges when they're on a whisper	2015-09-25 00:39:58 +02:00
Régis Hanol	13aca1cceb	FIX: notifications & messages were missing from user profile	2015-09-24 19:16:29 +02:00
Robin Ward	4818ba5960	FIX: Double load sometimes on topic lists	2015-09-23 16:42:07 -04:00
Neil Lalonde	3b754956e7	Version bump	2015-09-22 15:16:27 -04:00
Neil Lalonde	ad8f2cbed1	Version bump	2015-09-16 11:33:24 -04:00
Neil Lalonde	5388d4f92a	Version bump	2015-09-09 11:45:25 -04:00
Neil Lalonde	53435cf05f	Version bump to v1.4.0.beta11	2015-09-09 11:40:52 -04:00
Sam	0893e412d7	SECURITY: fix possible XSS expanding quotes	2015-09-08 15:26:12 +10:00
Sam	40f449c002	FIX: if an enum is Fixnum do not allow strings to live in it	2015-08-26 14:20:03 +02:00
Sam	1e411acbaf	PATCH: in some cases this is being turned to a string workaround for now	2015-08-26 14:19:54 +02:00
Neil Lalonde	7d9c21143f	Version bump	2015-08-25 15:06:14 -04:00
Neil Lalonde	fbd5325031	Version bump	2015-08-13 10:41:37 -04:00
Neil Lalonde	3ba68857bd	Version bump	2015-08-06 15:33:06 -04:00
Neil Lalonde	eaa5304036	Version bump	2015-07-30 15:46:35 -04:00
Robin Ward	61c7c55ddc	SECURITY: Make sure export CSV is generated via a POST	2015-07-24 12:39:12 -04:00
Neil Lalonde	ced0e85ddb	Version bump	2015-07-17 21:31:26 -04:00
Neil Lalonde	97a5a8ae28	Version bump	2015-07-17 11:26:21 -04:00
Sam	e61a6238f2	SECURITY: Remove email validation check bypass - Increase size of email column to varchar(513) - Give error message on signup when email is too large Overall impact: Low, allows signups from blocked domains. Main risk is increased spam.	2015-07-14 09:55:41 +10:00
Neil Lalonde	a4ae8570ea	Version bump	2015-07-01 17:12:23 -04:00
Robin Ward	8a20215673	FIX: Embedding posts was broken	2015-06-26 11:46:30 -04:00
Neil Lalonde	67203ccb64	Version bump	2015-06-19 11:37:29 -04:00
Neil Lalonde	ac079e6240	Version bump	2015-06-11 16:07:26 -04:00
Sam Saffron	c761bf4b90	SECURITY: expire all existing email tokens on password reset	2015-06-05 14:15:48 -04:00
Sam Saffron	0cca90b889	SECURITY: expire all existing sessions if user changes passwords	2015-06-05 13:19:29 -04:00
Robin Ward	772e96e52b	Never enqueue posts from staff	2015-06-05 13:19:24 -04:00
Neil Lalonde	74fe4b7cb7	Version bump	2015-06-03 16:57:19 -04:00
Neil Lalonde	c5acf64f54	Version bump	2015-06-01 17:02:34 -04:00
Neil Lalonde	e10e37ec62	Version bump	2015-06-01 15:38:38 -04:00
Neil Lalonde	63f0bd0495	Version bump	2015-05-26 11:45:35 -04:00
Neil Lalonde	cc4bfa7b45	Version bump	2015-05-12 17:52:57 -04:00
Neil Lalonde	121a8ba6dc	Version bump to v1.3.0.beta8	2015-05-11 18:53:59 -04:00
Sam	12c6ff22d8	remove s3 deprecation warning, we will continue to support it	2015-05-12 08:32:41 +10:00
riking	c6143ba990	SECURITY: XSS in poll errors dialog	2015-05-09 18:11:20 +10:00
Neil Lalonde	e448cbf6ad	Version bump	2015-05-06 13:41:57 -04:00
Neil Lalonde	bcccec1ea6	Version bump	2015-04-22 11:11:48 -04:00
Sam	6e1842d2b3	SECURITY: log off all existing sessions when resetting password	2015-04-15 09:00:55 +10:00
Neil Lalonde	8c3d3060d1	Version bump	2015-04-13 15:00:51 -04:00
Neil Lalonde	c7040e46b9	Version bump	2015-03-24 14:18:38 -04:00
Neil Lalonde	bebc107082	Version bump	2015-03-12 17:20:20 -04:00
Robin Ward	6a91151017	FIX: 6to5 was renamed to Babel I can't believe they just pulled the old gem and broke people deploying our site to production. I get it, your name changed, but don't break other people's apps with no deprecations.	2015-03-05 13:43:35 -05:00
Neil Lalonde	9e96152788	Version bump	2015-03-02 18:31:18 -05:00
Neil Lalonde	7e78139563	Version bump	2015-02-19 16:27:55 -05:00
Neil Lalonde	bd8b403780	Version bump	2015-02-16 16:09:21 -05:00
Neil Lalonde	caa9a324b0	Version bump	2015-02-12 18:31:36 -05:00
Neil Lalonde	3739684164	Version bump	2015-02-12 16:34:53 -05:00
Neil Lalonde	adc1a2e9a5	Version bump	2015-02-03 14:18:35 -05:00
Neil Lalonde	872aa6216b	Version bump	2015-01-14 14:27:58 -05:00
Neil Lalonde	c97833b1fc	Version bump	2014-12-12 14:34:42 -05:00
Neil Lalonde	c0b128d547	Version bump	2014-11-27 16:48:45 -05:00
Neil Lalonde	ee61fb5274	Version bump	2014-11-18 16:10:13 -05:00
Neil Lalonde	c87673c651	Merge branch 'master' into beta	2014-11-06 15:53:53 -05:00
Neil Lalonde	d2fd8e1947	Version bump	2014-10-30 17:31:32 -04:00
Neil Lalonde	f058bfa376	Version bump	2014-10-23 11:47:25 -04:00
Neil Lalonde	ec102c550d	Version bump	2014-10-16 15:08:23 -04:00
Neil Lalonde	340c2e4ff6	Version bump to v1.1.0.beta6b	2014-10-16 15:07:31 -04:00
Neil Lalonde	f07b00f1e9	Version bump	2014-10-08 16:51:07 -04:00
Neil Lalonde	b813e692b2	Version bump	2014-10-03 10:52:14 -04:00
Neil Lalonde	f23bc46d43	Version bump	2014-09-23 13:44:18 -04:00
Neil Lalonde	c3e1cbfe90	Merge master	2014-09-10 12:53:31 -04:00
Neil Lalonde	fd81422202	Version bump to v1.1.0.beta1	2014-09-04 12:47:04 -04:00

Compare commits

701 Commits

main ... beta

Diff Content Not Available

Compare commits

701 Commits main ... beta

Diff Content Not Available

701 Commits

main ... beta