This repository has been archived by the owner on Aug 15, 2018. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
23 changed files
with
266 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
0.1.1 | ||
0.1.2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
class AddCustomCssToSiteSettings < ActiveRecord::Migration | ||
def self.up | ||
add_column :site_settings, :custom_css, :text | ||
end | ||
|
||
def self.down | ||
remove_column :site_settings, :custom_css | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
namespace :db do | ||
namespace :backup do | ||
|
||
def interesting_tables | ||
ActiveRecord::Base.connection.tables.sort.reject! do |tbl| | ||
['schema_info', 'sessions', 'public_exceptions'].include?(tbl) | ||
end | ||
end | ||
|
||
desc "Dump entire db." | ||
task :write => :environment do | ||
|
||
dir = RAILS_ROOT + '/db/backup' | ||
FileUtils.mkdir_p(dir) | ||
FileUtils.chdir(dir) | ||
|
||
interesting_tables.each do |tbl| | ||
|
||
klass = tbl.classify.constantize | ||
puts "Writing #{tbl}..." | ||
File.open("#{tbl}.yml", 'w+') { |f| YAML.dump klass.find(:all).collect(&:attributes), f } | ||
end | ||
|
||
end | ||
|
||
task :read => [:environment, 'db:schema:load'] do | ||
|
||
dir = RAILS_ROOT + '/db/backup' | ||
FileUtils.mkdir_p(dir) | ||
FileUtils.chdir(dir) | ||
|
||
interesting_tables.each do |tbl| | ||
|
||
klass = tbl.classify.constantize | ||
ActiveRecord::Base.transaction do | ||
|
||
puts "Loading #{tbl}..." | ||
YAML.load_file("#{tbl}.yml").each do |fixture| | ||
ActiveRecord::Base.connection.execute "INSERT INTO #{tbl} (#{fixture.keys.join(",")}) VALUES (#{fixture.values.collect { |value| ActiveRecord::Base.connection.quote(value) }.join(",")})", 'Fixture Insert' | ||
end | ||
end | ||
end | ||
|
||
end | ||
|
||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -31,3 +31,5 @@ FCKConfig.ToolbarSets["Simple"] = [ | |
['TextColor','BGColor'], | ||
['-','About'] | ||
] ; | ||
|
||
FCKConfig.EnterMode = 'br'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> | ||
<script type="text/javascript" src="http://www.netvibes.com/js/UWA/Utils/ifproxy.js"></script> | ||
<title>UWA Container Proxy</title> | ||
</head> | ||
<body> | ||
</body> | ||
</html> |
4 changes: 3 additions & 1 deletion
4
vendor/plugins/ansuz_content_section/app/views/admin/content_sections/_edit.html.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
vendor/plugins/ansuz_database_dumper/app/controllers/admin/database_dumpers_controller.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
class Admin::DatabaseDumpersController < Admin::BaseController | ||
def show | ||
end | ||
|
||
def mysql_dump | ||
backup_path = File.join(RAILS_ROOT, "tmp", Time.now.to_f.to_s) | ||
config = Rails::Configuration.new.database_configuration[RAILS_ENV] | ||
options = [] | ||
options << "-u#{config["username"]}" | ||
options << "-p#{config["password"]}" unless config["password"].blank? | ||
options << "#{config["database"]}" | ||
command = "mysqldump #{options.join(" ")} > #{backup_path}" | ||
logger.info command | ||
begin | ||
`#{command}` | ||
render :file => backup_path | ||
ensure | ||
File.delete backup_path | ||
end | ||
end | ||
end |
8 changes: 8 additions & 0 deletions
8
vendor/plugins/ansuz_database_dumper/app/views/admin/database_dumpers/show.html.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
<%= title "Import / Export your data" %> | ||
<% content_for :sidebar do %> | ||
<div class='note'> | ||
At present, only mysql is supported. We should make that not true. | ||
</div> | ||
<% end %> | ||
<%= link_to "Download a dump of your database", mysql_dump_admin_database_dumper_path %> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Ansuz::PluginManagerInstance.register_admin_menu_entry('Ansuz', 'Database Import/Export', '/admin/database_dumper') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
namespace :admin do |admin| | ||
admin.resource :database_dumper, :collection => [:mysql_dump] | ||
end |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Include this module into your ActiveRecord model. | ||
module CssSanitize | ||
|
||
def custom_css=(text) | ||
# Mostly stolen from http://code.sixapart.com/svn/CSS-Cleaner/trunk/lib/CSS/Cleaner.pm | ||
text = "Error: invalid/disallowed characters in CSS" if text =~ /(\w\/\/)/ # a// comment immediately following a letter | ||
text = "Error: invalid/disallowed characters in CSS" if text =~ /(\w\/\/*\*)/ # a/* comment immediately following a letter | ||
text = "Error: invalid/disallowed characters in CSS" if text =~ /(\/\*\/)/ # /*/ --> hack attempt, IMO | ||
|
||
# Now, strip out any comments, and do some parsing. | ||
no_comments = text.gsub(/(\/\*.*?\*\/)/, "") # filter out any /* ... */ | ||
no_comments.gsub!("\n", "") | ||
# No backslashes allowed | ||
evil = [ | ||
/(\bdata:\b|eval|cookie|\bwindow\b|\bparent\b|\bthis\b)/i, # suspicious javascript-type words | ||
/behaviou?r|expression|moz-binding|@import|@charset|(java|vb)?script|[\<]|\\\w/i, | ||
/[\<>]/, # back slash, html tags, | ||
/[\x7f-\xff]/, # high bytes -- suspect | ||
/[\x00-\x08\x0B\x0C\x0E-\x1F]/, #low bytes -- suspect | ||
/&\#/, # bad charset | ||
] | ||
evil.each { |regex| text = "Error: invalid/disallowed characters in CSS" and break if no_comments =~ regex } | ||
|
||
write_attribute :custom_css, text | ||
end | ||
end |
115 changes: 115 additions & 0 deletions
115
vendor/plugins/css_file_sanitize/test/css_sanitize_test.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
require File.dirname(__FILE__) + '/../test_helper' | ||
|
||
class Site < ActiveRecord::Base | ||
include CssSanitize | ||
end | ||
|
||
class CssSanitizeTest < Test::Unit::TestCase | ||
|
||
before do | ||
@site = Site.new(:name => 'Foo', :owner_id => 1) | ||
end | ||
|
||
it "disallows evil css" do | ||
bad_strings = [ | ||
"div.foo { width: 500px; behavior: url(http://foo.com); height: 200px; }", | ||
".test { color: red; background-image: url('javascript:alert'); border: 1px solid brown; }", | ||
"div.foo { width: 500px; -moz-binding: foo; height: 200px; }", | ||
|
||
# no @import for you | ||
"\@import url(javascript:alert('Your cookie:'+document.cookie));", | ||
|
||
# no behavior either | ||
"behaviour:expression(function(element){alert('xss');}(this));'>", | ||
|
||
# case-sensitivity test | ||
'-Moz-binding: url("http://www.example.comtest.xml");', | ||
|
||
# \uxxrl unicode | ||
"background:\75rl('javascript:alert(\"\\75rl\")');", | ||
"background:url(javascript:alert('html &#x75;'))", | ||
"b\nackground: url(javascript:alert('line-broken background '))", | ||
"background:url(javascript:alert('&#xff55;rl(full-width u)'))", | ||
"background:url(javascript:alert(&#117;rl'))", | ||
"background:url(javascript:alert('&#x75;rl'))", | ||
"background:\75rl('javascript:alert(\"\\75rl\")')", | ||
|
||
# \\d gets parsed out on ffx and ie | ||
"background:url("javascri\\dpt:alert('injected js goes here')")", | ||
|
||
# http://rt.livejournal.org/Ticket/Display.html?id=436 | ||
'-\4d oz-binding: url("http://localhost/test.xml#foo");', | ||
|
||
# css comments are ignored sometimes | ||
"xss:expr/*XSS*/ession(alert('XSS'));", | ||
|
||
# html comments? fail | ||
"background:url(java<!-- -->script:alert('XSS'));", | ||
|
||
# weird comments | ||
'color: e/* * / */xpression("r" + "e" + "d");', | ||
|
||
# weird comments to really test that regex | ||
'color: e/*/**/xpression("r" + "e" + "d");', | ||
|
||
# we're not using a parser, but nonetheless ... if we were.. | ||
<<-STR | ||
p { | ||
dummy: '//'; background:url(javascript:alert('XSS')); | ||
} | ||
STR | ||
] | ||
bad_strings.each do |string| | ||
@site.custom_css = string | ||
@site.custom_css.should == "Error: invalid/disallowed characters in CSS" | ||
end | ||
end | ||
|
||
|
||
it "allows good css" do | ||
good_strings = [ | ||
".test { color: red; border: 1px solid brown; }", | ||
"h1 { background: url(http://foobar.com/meh.jpg)}", | ||
"div.foo { width: 500px; height: 200px; }", | ||
"GI b gkljfl kj { { { ********" # gibberish, but should work. | ||
] | ||
good_strings.each do |string| | ||
@site.custom_css = string | ||
@site.custom_css.should == string | ||
end | ||
|
||
end | ||
|
||
it "does not strip real comments" do | ||
text = <<STR | ||
a.foo { bar: x } | ||
/* Group: header */ | ||
a.bar { x: poo } | ||
STR | ||
@site.custom_css = text | ||
@site.custom_css.should == text | ||
end | ||
|
||
it "does strip suspicious comments" do | ||
text = <<-STR | ||
a.foo { ba/* hack */r: x } | ||
/* Group: header */ | ||
a.bar { x: poo } | ||
STR | ||
@site.custom_css = text | ||
@site.custom_css.should == "Error: invalid/disallowed characters in CSS" | ||
@site.custom_css = "Foo /*/**/ Bar" | ||
@site.custom_css.should == "Error: invalid/disallowed characters in CSS" | ||
end | ||
|
||
it "doesn't allow bad css" do | ||
@site.custom_css = <<STR | ||
test{ width: expression(alert("sux 2 be u")); } | ||
a:link { color: red } | ||
STR | ||
@site.custom_css.should == "Error: invalid/disallowed characters in CSS" | ||
end | ||
|
||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters