TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-29 13:52:10 +03:00
Code Issues Projects Releases Wiki Activity
07f9564eea
Ghost/ghost
History
Fabien "egg" O'Carroll 07f9564eea 🔐 Restricted reading files from outside the theme directory 
closes https://github.com/TryGhost/Product/issues/4191

Without this patch, themes can read arbitrary files from your system and
expose them to the internet via the layout feature of express-hbs.

For example `{{!< ../../../../config.production.json}}` would spit out config,
which can contain secrets.

As theme upload is restricted to users with the Admin role, this mostly effects
hosting providers which use their own secret keys for e.g. mail or database config
2023-11-28 12:46:06 +00:00
..
adapter-cache-memory-ttl Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
adapter-cache-redis Added performance metrics to redis cache purging (#19039) 2023-11-17 00:17:16 -08:00
adapter-manager Aligned dependencies with resolution values 2023-10-13 08:37:36 +02:00
admin v5.74.4 2023-11-27 07:56:41 +00:00
announcement-bar-settings Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
api-framework Update TryGhost packages 2023-10-31 20:54:17 +01:00
api-version-compatibility-service Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
audience-feedback Update TryGhost packages 2023-10-31 20:54:17 +01:00
bookshelf-repository Added tests to AdminX framework package (#19022) 2023-11-20 11:00:51 +00:00
bootstrap-socket Aligned dependencies with resolution values 2023-10-13 08:37:36 +02:00
collections Removed usage of unquoted ids in filter strings (#19070) 2023-11-21 09:45:36 +01:00
constants Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
core 🔐 Restricted reading files from outside the theme directory 2023-11-28 12:46:06 +00:00
custom-theme-settings-service 🐛 Fixed contain/starts/endsWith filters with /, _ or % in them (#19015) 2023-11-16 09:35:20 +00:00
data-generator 🔒 Added support for logging out members on all devices (#18935) 2023-11-15 17:10:28 +01:00
domain-events Aligned dependencies with resolution values 2023-10-13 08:37:36 +02:00
donations Update dependency typescript to v5.3.2 2023-11-20 20:11:26 +01:00
dynamic-routing-events Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
email-addresses Added calculated email address settings (#19115) 2023-11-23 13:07:15 +00:00
email-analytics-provider-mailgun Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
email-analytics-service Update TryGhost packages 2023-10-31 20:54:17 +01:00
email-content-generator Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
email-events Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
email-service Added email address alignment protections (#19094) 2023-11-23 10:25:30 +01:00
email-suppression-list Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
event-aware-cache-wrapper Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
express-dynamic-redirects Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
external-media-inliner Improve external media inliner URL handling (#18428) 2023-10-19 11:58:41 +01:00
extract-api-key Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
html-to-plaintext Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
i18n Added Scottish Gaelic translations (#19001) 2023-11-20 15:56:51 +00:00
importer-handler-content-files Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
importer-revue Enabled emoji picker in feature image caption (#18824) 2023-11-01 21:22:56 +00:00
in-memory-repository Added tests to AdminX framework package (#19022) 2023-11-20 11:00:51 +00:00
job-manager Update dependency @sinonjs/fake-timers to v11.2.2 2023-11-20 11:12:57 +01:00
link-redirects Update Types packages 2023-11-08 12:13:12 +01:00
link-replacer Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
link-tracking 🐛 Fixed contain/starts/endsWith filters with /, _ or % in them (#19015) 2023-11-16 09:35:20 +00:00
magic-link Update Types packages 2023-11-08 12:29:48 +01:00
mail-events Added tests to AdminX framework package (#19022) 2023-11-20 11:00:51 +00:00
mailgun-client Fixed mailto unsubscribe header to only unsubscribe current tags (#18995) 2023-11-15 12:57:24 +00:00
member-attribution Update TryGhost packages 2023-10-31 20:54:17 +01:00
member-events Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
members-api 🐛 Fixed contain/starts/endsWith filters with /, _ or % in them (#19015) 2023-11-16 09:35:20 +00:00
members-csv Fixed typos (#18648) 2023-10-31 15:21:44 +00:00
members-events-service Aligned dependencies with resolution values 2023-10-13 08:37:36 +02:00
members-importer Update TryGhost packages 2023-10-31 20:54:17 +01:00
members-ssr Fixed deleting session when requesting identity for invalid session (#19017) 2023-11-16 11:01:50 +00:00
mentions-email-report Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
milestones Aligned dependencies with resolution values 2023-10-13 08:37:36 +02:00
minifier Update TryGhost packages 2023-10-31 20:54:17 +01:00
model-to-domain-event-interceptor Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
mw-api-version-mismatch Aligned dependencies with resolution values 2023-10-13 08:37:36 +02:00
mw-cache-control Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
mw-error-handler Improved error handling for SQL errors (#18797) 2023-11-01 13:47:41 -07:00
mw-session-from-token Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
mw-update-user-last-seen Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
mw-version-match Update TryGhost packages 2023-10-31 20:54:17 +01:00
mw-vhost Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
nql-filter-expansions Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
oembed-service Update metascraper to v5.38.0 2023-11-09 14:24:54 +00:00
offers Added last redeemed property to Offers (#19066) 2023-11-21 08:02:15 +00:00
package-json Update TryGhost packages 2023-10-31 20:54:17 +01:00
payments Aligned dependencies with resolution values 2023-10-13 08:37:36 +02:00
post-events Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
post-revisions Added tests to AdminX framework package (#19022) 2023-11-20 11:00:51 +00:00
posts-service 🐛 Fixed contain/starts/endsWith filters with /, _ or % in them (#19015) 2023-11-16 09:35:20 +00:00
recommendations Update dependency typescript to v5.3.2 2023-11-20 20:11:26 +01:00
referrers Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
security Update TryGhost packages 2023-10-31 20:54:17 +01:00
session-service Aligned dependencies with resolution values 2023-10-13 08:37:36 +02:00
settings-path-manager Update TryGhost packages 2023-10-31 20:54:17 +01:00
slack-notifications Update TryGhost packages 2023-10-31 20:54:17 +01:00
staff-service Added email address alignment protections (#19094) 2023-11-23 10:25:30 +01:00
stats-service Update Types packages 2023-11-21 15:06:56 +01:00
stripe Update TryGhost packages 2023-10-31 20:54:17 +01:00
tiers Update TryGhost packages 2023-10-31 20:54:17 +01:00
update-check-service Update TryGhost packages 2023-10-31 20:54:17 +01:00
verification-trigger Aligned dependencies with resolution values 2023-10-13 08:37:36 +02:00
version-notifications-data-service Configured all unit tests to use dot reporter 2023-10-05 12:24:24 +02:00
webmentions Removed usage of unquoted ids in filter strings (#19070) 2023-11-21 09:45:36 +01:00
tsconfig.json Disabled TypeScript incremental building 2023-08-09 18:27:56 +02:00