Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Dec 20, 2008
  1. Eric Kidd

    Merge branch 'experimental'

    emk authored
    Conflicts:
    
    	app/drops/comment_drop.rb
  2. Eric Kidd

    Security: Fix many broken filter regexps

    emk authored
    In Ruby, "foo\nbar" =~ /^bar/ will result in a match, because ^ matches
    at the start of any line, not at the start of the string.  In general,
    we want to use \A and \z in place of ^ and $, respectively.
    
    We rely heavily on regular expressions to filter untrusted data.  And
    many of these regular expressions can be fooled easily because they rely
    on ^ and $ when they shouldn't.  See comment_drop_test for a
    user-exploitable example.
    
    This patch does a bulk search-and-replace of the offending patterns.  It
    may easily have missed something somewhere, but it's a good start.
Commits on Dec 19, 2008
  1. Eric Kidd

    Security: Fix XSS attack against new comment form

    emk authored
    WARNING: If you're one of the first people testing this commit, please
    use a backup database.
    
    How to reproduce: Create a new comment, and set all fields to
    <script>alert("Pwned")</script>.  Submit it.  You will see a JavaScript
    alert dialog, which is bad.
    
    What's happening: Untrusted fields in Comment objects are sanitized
    immediately before they're written to the database for the first time.
    But if validation fails, it leaves the application with an unsanitized
    comment object.  When the "can't submit comment" error is displayed,
    this unsanitized comment object can be passed straight throught to
    Liquid, which assumes that all HTML tags have been escaped.
    
    (This may look like "self XSS" attack only, but hostile pages can
    trigger it by tricking you into submitting a comment form back to your
    own site, preloaded with malicious data.)
    
    How we fix it: We make HTML escaping the responsibility of CommentDrop,
    not the Comment model.  This means that we need to unescape several
    existing fields in the database.
    
    Possible issues: This means that we're storing dangerous, untrusted data
    in our database, and that we need to rely on the proper use of 'h' and
    'CGI.escapeHTML'.  In the case of 'h', we're already using SafeERB, so
    insecure admin templates will be caught automatically, and dangerous
    data should never be sent to the user.  In the case of Liquid, we need
    to carefully examine our CommentDrop class to make sure that we're not
    passing any unescaped data through to the Liquid templates.  But this is
    a pretty manageable "proof obligation"--and remember that the old
    "sanitize on create" code actually suffered from XSS attacks, because it
    was too easy to do the sanitization in the wrong place.
Commits on Dec 12, 2008
  1. Eric Kidd

    Security: Replace white_list with Rails 2.2 sanitizer

    emk authored
    The Rails 2.2 santizer is an enhanced version of Rick's original
    white_list plugin, so let's upgrade and get the latest fixes.
    
    Note that Mephisto had separate rules for sanitizing comments and
    non-comments in Atom feeds.  This difference was introduced in commit
    88df87e.  Unfortunately, I'm not able
    to track down any information on the problem being fixed here.  Since we
    already add half of the tags in question to the whitelist, I've decided
    to just treat all sanitized Atom feed content the same.  Please let me
    know if this breaks anything.
Commits on Dec 5, 2008
  1. Eric Kidd

    replace use of '<<' operator with '+=' operator in find_child_section…

    George Murphy authored emk committed
    …s and find_decendant_sections in SiteDrop
    
    We found that mutiple calls to the 'child_sections' drop filter was modifying the value of the path
    attribute inside of SectionDrops.  The SiteDrop methods find_child_sections and find_decentdent_sections
    used the '<<' operator to append a '/' charecter to the path.  This had the side effect of modifying
    the original string in memory.  The "+=" while slower, uses a copy of the string passed as parameter.
    
    The gave us the behavior we would expect.
Commits on May 8, 2008
  1. Added ability to edit asset title in admin interface, and added title to

    James Smith authored
    asset attributes in liquid
Commits on Mar 31, 2008
  1. risk danger olson
Commits on Feb 4, 2008
  1. risk danger olson
Commits on Mar 31, 2007
  1. sanitize comment attributes when they enter the db, not when they're …

    technoweenie authored
    …displayed
    
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2822 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Feb 19, 2007
  1. allow next/previous paging with articles within a given section. [Pas…

    technoweenie authored
    …cal Belloncle]
    
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2746 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Feb 12, 2007
  1. Extract template rendering code to separate handler class, add suppor…

    technoweenie authored
    …t for alternate template handlers. [Pascal Belloncle] Add {{ article.next }} and {{ article | next: section }} for paginating articles [Pascal Belloncle]
    
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2737 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Jan 15, 2007
  1. Initial article/asset assignment support. Perfect for podcasting.

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2684 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Jan 2, 2007
  1. Link comments to the currently logged in user, requires latest edge/1…

    technoweenie authored
    ….2 rails [Josh Susser]
    
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2625 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Dec 26, 2006
  1. damn anal beads

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2589 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Nov 5, 2006
  1. use example of article feed in the default template

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2438 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Oct 20, 2006
  1. Change child_section and descendent_section methods in the SiteDrop t…

    technoweenie authored
    …o search the preloaded sections array.
    
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2381 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Oct 13, 2006
  1. fix section ordering issue, and add an index filter for arrays

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2361 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Oct 10, 2006
  1. rename liquidize to liquify

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2357 567b1171-46fb-0310-a4c9-b4bef9110e78
  2. remove pointless accessor methods for liquid drops

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2356 567b1171-46fb-0310-a4c9-b4bef9110e78
  3. add #liquidize helper method that applies the current context to all …

    technoweenie authored
    …instantiated liquid drops automatically, add basic UserDrop
    
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2355 567b1171-46fb-0310-a4c9-b4bef9110e78
  4. some drop tweaks

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2354 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Oct 9, 2006
  1. refactor liquid drops so that @site is available from the current con…

    technoweenie authored
    …text's site value
    
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2345 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Oct 5, 2006
  1. fix anomaly with page_url [Ian White]

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2331 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Oct 4, 2006
  1. add AssetDrop#path

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2326 567b1171-46fb-0310-a4c9-b4bef9110e78
  2. add asset drop

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2317 567b1171-46fb-0310-a4c9-b4bef9110e78
  3. enhanced cache sweeping of liquid objects, and better draft article s…

    technoweenie authored
    …weeping behavior
    
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2313 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Sep 27, 2006
  1. Refine child_sections liquid filter, add descendant_sections filter […

    technoweenie authored
    …Cristi Balan]
    
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2290 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Sep 25, 2006
  1. Add comments and changes feeds for articles

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2272 567b1171-46fb-0310-a4c9-b4bef9110e78
  2. add linking to article from comment

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2268 567b1171-46fb-0310-a4c9-b4bef9110e78
  3. add white list protection for comments

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2266 567b1171-46fb-0310-a4c9-b4bef9110e78
  4. Add liquid drop/filters for getting the latest comments for a section.

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2262 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Sep 24, 2006
  1. fixed that {{ article.excerpt }} outputted 'false'

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2249 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Sep 21, 2006
  1. tweak article drop so that article.excerpt returns nil if empty. grea…

    technoweenie authored
    …t for {% if article.excerpt %}. [DeLynn Berry]
    
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2230 567b1171-46fb-0310-a4c9-b4bef9110e78
Commits on Sep 18, 2006
  1. update default theme with archive stuff

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2207 567b1171-46fb-0310-a4c9-b4bef9110e78
  2. Fixed issues previewing article drafts

    technoweenie authored
    git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2206 567b1171-46fb-0310-a4c9-b4bef9110e78
Something went wrong with that request. Please try again.