From 19a259915eedcdff8c1e82f3b99a6249010b4b30 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Mon, 21 Mar 2016 10:08:19 +0100 Subject: [PATCH] Security update --- Gemfile | 2 +- Gemfile.lock | 72 +++++++++++++------------- app/controllers/accounts_controller.rb | 4 +- app/helpers/atom_builder_helper.rb | 10 ++-- 4 files changed, 45 insertions(+), 43 deletions(-) diff --git a/Gemfile b/Gemfile index 9a171b5b638..b4ce0aea8be 100644 --- a/Gemfile +++ b/Gemfile @@ -1,6 +1,6 @@ source 'https://rubygems.org' -gem 'rails', '4.2.5.1' +gem 'rails', '4.2.5.2' gem 'sass-rails', '~> 5.0' gem 'uglifier', '>= 1.3.0' gem 'coffee-rails', '~> 4.1.0' diff --git a/Gemfile.lock b/Gemfile.lock index adbf3e5377d..d535d1617ba 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,36 +1,36 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (4.2.5.1) - actionpack (= 4.2.5.1) - actionview (= 4.2.5.1) - activejob (= 4.2.5.1) + actionmailer (4.2.5.2) + actionpack (= 4.2.5.2) + actionview (= 4.2.5.2) + activejob (= 4.2.5.2) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.5.1) - actionview (= 4.2.5.1) - activesupport (= 4.2.5.1) + actionpack (4.2.5.2) + actionview (= 4.2.5.2) + activesupport (= 4.2.5.2) rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (4.2.5.1) - activesupport (= 4.2.5.1) + actionview (4.2.5.2) + activesupport (= 4.2.5.2) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) - activejob (4.2.5.1) - activesupport (= 4.2.5.1) + activejob (4.2.5.2) + activesupport (= 4.2.5.2) globalid (>= 0.3.0) - activemodel (4.2.5.1) - activesupport (= 4.2.5.1) + activemodel (4.2.5.2) + activesupport (= 4.2.5.2) builder (~> 3.1) - activerecord (4.2.5.1) - activemodel (= 4.2.5.1) - activesupport (= 4.2.5.1) + activerecord (4.2.5.2) + activemodel (= 4.2.5.2) + activesupport (= 4.2.5.2) arel (~> 6.0) - activesupport (4.2.5.1) + activesupport (4.2.5.2) i18n (~> 0.7) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) @@ -72,7 +72,7 @@ GEM warden (~> 1.2.3) diff-lcs (1.2.5) docile (1.1.5) - domain_name (0.5.20160309) + domain_name (0.5.20160310) unf (>= 0.0.5, < 1.0.0) doorkeeper (3.1.0) railties (>= 3.2) @@ -82,7 +82,7 @@ GEM railties (>= 4.0, < 5.1) erubis (2.7.0) execjs (2.6.0) - fabrication (2.14.1) + fabrication (2.15.0) fast_blank (1.0.0) font-awesome-rails (4.5.0.1) railties (>= 3.2, < 5.1) @@ -111,7 +111,7 @@ GEM nokogiri (~> 1.6.0) ruby_parser (~> 3.5) htmlentities (4.3.4) - http (1.0.2) + http (1.0.4) addressable (~> 2.3) http-cookie (~> 1.0) http-form_data (~> 1.0.1) @@ -160,7 +160,7 @@ GEM addressable (~> 2.4) http (~> 1.0) nokogiri (~> 1.6) - paperclip (4.3.5) + paperclip (4.3.6) activemodel (>= 3.2.0) activesupport (>= 3.2.0) cocaine (~> 0.5.5) @@ -178,7 +178,7 @@ GEM slop (~> 3.4) pry-rails (0.3.4) pry (>= 0.9.10) - puma (3.1.0) + puma (3.2.0) quiet_assets (1.1.0) railties (>= 3.1, < 5.0) rabl (0.12.0) @@ -190,16 +190,16 @@ GEM rack (>= 1.2.0) rack-test (0.6.3) rack (>= 1.0) - rails (4.2.5.1) - actionmailer (= 4.2.5.1) - actionpack (= 4.2.5.1) - actionview (= 4.2.5.1) - activejob (= 4.2.5.1) - activemodel (= 4.2.5.1) - activerecord (= 4.2.5.1) - activesupport (= 4.2.5.1) + rails (4.2.5.2) + actionmailer (= 4.2.5.2) + actionpack (= 4.2.5.2) + actionview (= 4.2.5.2) + activejob (= 4.2.5.2) + activemodel (= 4.2.5.2) + activerecord (= 4.2.5.2) + activesupport (= 4.2.5.2) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.5.1) + railties (= 4.2.5.2) sprockets-rails rails-deprecated_sanitizer (1.0.3) activesupport (>= 4.2.0.alpha) @@ -216,13 +216,13 @@ GEM rails (> 3.1) rails_serve_static_assets (0.0.5) rails_stdout_logging (0.0.4) - railties (4.2.5.1) - actionpack (= 4.2.5.1) - activesupport (= 4.2.5.1) + railties (4.2.5.2) + actionpack (= 4.2.5.2) + activesupport (= 4.2.5.2) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rainbow (2.1.0) - rake (11.1.0) + rake (11.1.1) rdoc (4.2.2) json (~> 1.4) redis (3.2.2) @@ -351,7 +351,7 @@ DEPENDENCIES rabl rack-attack rack-mini-profiler - rails (= 4.2.5.1) + rails (= 4.2.5.2) rails_12factor rails_autolink redis (~> 3.2) diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb index 50b5c08e687..72d32baf0e7 100644 --- a/app/controllers/accounts_controller.rb +++ b/app/controllers/accounts_controller.rb @@ -5,10 +5,8 @@ class AccountsController < ApplicationController before_action :set_webfinger_header def show - @statuses = @account.statuses.order('id desc').with_includes.with_counters - respond_to do |format| - format.html { @statuses = @statuses.paginate(page: params[:page], per_page: 10)} + format.html { @statuses = @account.statuses.order('id desc').with_includes.with_counters.paginate(page: params[:page], per_page: 10)} format.atom end end diff --git a/app/helpers/atom_builder_helper.rb b/app/helpers/atom_builder_helper.rb index 40d1119c9c6..da3a1a9b807 100644 --- a/app/helpers/atom_builder_helper.rb +++ b/app/helpers/atom_builder_helper.rb @@ -126,9 +126,9 @@ module AtomBuilderHelper end def link_avatar(xml, account) - xml.link('rel' => 'avatar', 'type' => account.avatar_content_type, 'media:width' => '300', 'media:height' =>'300', 'href' => asset_url(account.avatar.url(:large, false))) - xml.link('rel' => 'avatar', 'type' => account.avatar_content_type, 'media:width' => '96', 'media:height' =>'96', 'href' => asset_url(account.avatar.url(:medium, false))) - xml.link('rel' => 'avatar', 'type' => account.avatar_content_type, 'media:width' => '48', 'media:height' =>'48', 'href' => asset_url(account.avatar.url(:small, false))) + single_link_avatar(xml, account, :large, 300) + single_link_avatar(xml, account, :medium, 96) + single_link_avatar(xml, account, :small, 48) end def logo(xml, url) @@ -207,4 +207,8 @@ module AtomBuilderHelper def root_tag(xml, tag, &block) xml.send(tag, { :xmlns => 'http://www.w3.org/2005/Atom', 'xmlns:thr' => 'http://purl.org/syndication/thread/1.0', 'xmlns:activity' => 'http://activitystrea.ms/spec/1.0/', 'xmlns:poco' => 'http://portablecontacts.net/spec/1.0', 'xmlns:media' => 'http://purl.org/syndication/atommedia' }, &block) end + + def single_link_avatar(xml, account, size, px) + xml.link('rel' => 'avatar', 'type' => account.avatar_content_type, 'media:width' => px, 'media:height' =>px, 'href' => asset_url(account.avatar.url(size, false))) + end end