From 795ef2463f9e155582b1ff68c2764610400987e1 Mon Sep 17 00:00:00 2001
From: Thomas Citharel
Date: Thu, 7 Dec 2023 12:30:27 +0100
Subject: [PATCH 1/5] build(packages): add back Debian Buster as it seems
people are still using it
Signed-off-by: Thomas Citharel
---
.gitlab-ci.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 602337ceb..09c686f2a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -337,6 +337,7 @@ package-app:
[
"debian-bookworm",
"debian-bullseye",
+ "debian-buster",
"ubuntu-jammy",
"ubuntu-focal",
"ubuntu-bionic",
From 0caaf2bf2e1ee3c7a609323c73363bcf45ee819e Mon Sep 17 00:00:00 2001
From: Thomas Citharel
Date: Thu, 7 Dec 2023 12:30:49 +0100
Subject: [PATCH 2/5] build(packages): remove alpine packages as there's no
demand for it
Signed-off-by: Thomas Citharel
---
.gitlab-ci.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 09c686f2a..9a1b2e64a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -341,8 +341,6 @@ package-app:
"ubuntu-jammy",
"ubuntu-focal",
"ubuntu-bionic",
- "alpine-3.17.5",
- "alpine-3.18.4",
"fedora-38",
"fedora-39",
]
From 5e3d8a861f0be7578109a9ff2a14172184c66ae4 Mon Sep 17 00:00:00 2001
From: Thomas Citharel
Date: Thu, 7 Dec 2023 12:36:11 +0100
Subject: [PATCH 3/5] chore(release): 4.0.1
Signed-off-by: Thomas Citharel
---
CHANGELOG.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
mix.exs | 2 +-
package.json | 2 +-
3 files changed, 51 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 894b8eb6e..9cb02382c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,55 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## 4.0.1 (2023-12-07)
+
+### Security issues
+
+This release fixes different security issues reported by the potsda.mn collective. Please make sure to upgrade as soon as possible.
+
+### Added
+
+- Added a CLI task to test if emails configuration works properly
+
+### Fixed
+- Fixes XSS issues in groups descriptions, report contents, messages from anonymous participations and resources descriptions
+- Fixes Docker configuration that prevented the image to launch
+
+### Changed
+
+- Added back Debian Buster builds
+
+### Complete changelog
+
+* build(packages): add back Debian Buster as it seems people are still using it ([795ef24](https://framagit.org/framasoft/mobilizon/commits/795ef24))
+* build(packages): remove alpine packages as there's no demand for it ([0caaf2b](https://framagit.org/framasoft/mobilizon/commits/0caaf2b))
+* Translated using Weblate (Croatian) ([9c88fae](https://framagit.org/framasoft/mobilizon/commits/9c88fae))
+* Translated using Weblate (Croatian) ([623f4ee](https://framagit.org/framasoft/mobilizon/commits/623f4ee))
+* Translated using Weblate (Croatian) ([1162dd0](https://framagit.org/framasoft/mobilizon/commits/1162dd0))
+* Translated using Weblate (Galician) ([97c53bb](https://framagit.org/framasoft/mobilizon/commits/97c53bb))
+* Translated using Weblate (Galician) ([e08b057](https://framagit.org/framasoft/mobilizon/commits/e08b057))
+* Translated using Weblate (Galician) ([ec5e436](https://framagit.org/framasoft/mobilizon/commits/ec5e436))
+* Translated using Weblate (Korean) ([1a1ad52](https://framagit.org/framasoft/mobilizon/commits/1a1ad52))
+* Translated using Weblate (Korean) ([7b4c31d](https://framagit.org/framasoft/mobilizon/commits/7b4c31d))
+* fix: always consider report content as text ([ffff379](https://framagit.org/framasoft/mobilizon/commits/ffff379))
+* fix: sanitize descriptions from resources ([dc6647f](https://framagit.org/framasoft/mobilizon/commits/dc6647f))
+* fix(config): fix setting path for Mobilizon.Service.SiteMap ([7d725bd](https://framagit.org/framasoft/mobilizon/commits/7d725bd))
+* fix(docker): fix getting configuration value from env MOBILIZON_SMTP_TLS ([28063bd](https://framagit.org/framasoft/mobilizon/commits/28063bd)), closes [#1381](https://framagit.org/framasoft/mobilizon/issues/1381)
+* fix(docker): fix getting default value for MOBILIZON_SMTP_SSL env ([126727b](https://framagit.org/framasoft/mobilizon/commits/126727b))
+* fix(docker): use separate env for tzdata dir path ([9907f88](https://framagit.org/framasoft/mobilizon/commits/9907f88))
+* fix(emails): use tls_certificate_check to add tls config for mailer ([db38550](https://framagit.org/framasoft/mobilizon/commits/db38550))
+* fix(front): anonymous participant text is plain text, avoid using v-html ([2c12fbf](https://framagit.org/framasoft/mobilizon/commits/2c12fbf))
+* fix(front): fix editing group ([935799f](https://framagit.org/framasoft/mobilizon/commits/935799f))
+* fix(front): fix XSS because of bad operations when setting the group's summary ([ded59be](https://framagit.org/framasoft/mobilizon/commits/ded59be))
+* fix(front): put correct value for CONVERSATION_LIST enum value ([94bf2e5](https://framagit.org/framasoft/mobilizon/commits/94bf2e5))
+* fix(graphql): set default value for resource type parameter ([09f4132](https://framagit.org/framasoft/mobilizon/commits/09f4132))
+* feat(cli): add command to test emails send correctly ([7210f86](https://framagit.org/framasoft/mobilizon/commits/7210f86))
+* feat(docker): allow to configure loglevel at runtime through env variable ([4855af8](https://framagit.org/framasoft/mobilizon/commits/4855af8))
+* test: add new tests for XSS in actors summary ([58e50e3](https://framagit.org/framasoft/mobilizon/commits/58e50e3))
+* style: linting front-end ([41227d9](https://framagit.org/framasoft/mobilizon/commits/41227d9))
+* refactor(activitypub): handle failure finding public key in actor keys ([5b337f9](https://framagit.org/framasoft/mobilizon/commits/5b337f9))
+
+
## 4.0.0 (2023-12-05)
### Breaking changes
diff --git a/mix.exs b/mix.exs
index 53f2a77d6..dc4a0e4e5 100644
--- a/mix.exs
+++ b/mix.exs
@@ -1,7 +1,7 @@
defmodule Mobilizon.Mixfile do
use Mix.Project
- @version "4.0.0"
+ @version "4.0.1"
def project do
[
diff --git a/package.json b/package.json
index 57cd5e2f9..77c88ae60 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "mobilizon",
- "version": "4.0.0",
+ "version": "4.0.1",
"private": true,
"scripts": {
"dev": "vite",
From 1af8e37e9bf2c1629866cd166d6f2cc80760226b Mon Sep 17 00:00:00 2001
From: "potsda.mn-Kollektiv"
Date: Thu, 7 Dec 2023 14:28:59 +0100
Subject: [PATCH 4/5] fix(front-end): add more security fixes for formatted
lists and notifier
- introduce html escape function
- escape message content in notifier plugin
- escape user name in ConversationListItem
- escape user name in the Event EditView contacts section
- display user summary as plain text in ActorCard
Signed-off-by: Thomas Citharel
---
src/components/Account/ActorCard.vue | 11 ++++++++++-
src/components/Conversations/ConversationListItem.vue | 3 ++-
src/plugins/notifier.ts | 3 ++-
src/utils/html.ts | 10 ++++++++++
src/views/Event/EditView.vue | 3 ++-
5 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/src/components/Account/ActorCard.vue b/src/components/Account/ActorCard.vue
index 2124b746d..6856a2bd0 100644
--- a/src/components/Account/ActorCard.vue
+++ b/src/components/Account/ActorCard.vue
@@ -30,7 +30,7 @@
@{{ usernameWithDomain(actor) }}
+
{
const formattedListOfParticipants = computed(() => {
return formatList(
otherParticipants.value.map(
- (participant) => `${displayName(participant)}`
+ (participant) => `${escapeHtml(displayName(participant))}`
)
);
});
diff --git a/src/plugins/notifier.ts b/src/plugins/notifier.ts
index 0b5e9c3fe..23719b706 100644
--- a/src/plugins/notifier.ts
+++ b/src/plugins/notifier.ts
@@ -1,3 +1,4 @@
+import { escapeHtml } from "@/utils/html";
import { App } from "vue";
export class Notifier {
@@ -21,7 +22,7 @@ export class Notifier {
private notification(message: string, type: string) {
this.app.config.globalProperties.$oruga.notification.open({
- message,
+ message: escapeHtml(message),
duration: 5000,
position: "bottom-right",
type,
diff --git a/src/utils/html.ts b/src/utils/html.ts
index 02b8763b4..7f0ac34a9 100644
--- a/src/utils/html.ts
+++ b/src/utils/html.ts
@@ -5,3 +5,13 @@ export const getValueFromMeta = (name: string): string | null => {
}
return null;
};
+
+export function escapeHtml(html: string) {
+ const p = document.createElement("p");
+ p.appendChild(document.createTextNode(html.trim()));
+
+ const escapedContent = p.innerHTML;
+ p.remove();
+
+ return escapedContent;
+}
diff --git a/src/views/Event/EditView.vue b/src/views/Event/EditView.vue
index d833d8dea..3d9deba6c 100644
--- a/src/views/Event/EditView.vue
+++ b/src/views/Event/EditView.vue
@@ -180,7 +180,7 @@
{
contact: formatList(
event.contacts.map((contact) =>
- displayNameAndUsername(contact)
+ escapeHtml(displayNameAndUsername(contact))
)
),
},
@@ -628,6 +628,7 @@ import { useHead } from "@unhead/vue";
import { useProgrammatic } from "@oruga-ui/oruga-next";
import type { Locale } from "date-fns";
import sortBy from "lodash/sortBy";
+import { escapeHtml } from "@/utils/html";
const DEFAULT_LIMIT_NUMBER_OF_PLACES = 10;
From 987c5b59d3929befeab306f5e6c79de0b6fd6ad4 Mon Sep 17 00:00:00 2001
From: Thomas Citharel
Date: Thu, 7 Dec 2023 14:55:16 +0100
Subject: [PATCH 5/5] chore(release): 4.0.2
Signed-off-by: Thomas Citharel
---
CHANGELOG.md | 14 ++++++++++++++
mix.exs | 2 +-
package.json | 2 +-
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9cb02382c..6fd40709e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## 4.0.2 (2023-12-07)
+
+### Security issues
+
+This release fixes different security issues reported by the potsda.mn collective. Please make sure to upgrade as soon as possible.
+
+### Fixed
+
+- Fixes XSS issues in notifier and participant and event contacts list formatting
+
+
+* fix(front-end): add more security fixes for formatted lists and notifier ([1af8e37](https://framagit.org/framasoft/mobilizon/commits/1af8e37))
+
+
## 4.0.1 (2023-12-07)
### Security issues
diff --git a/mix.exs b/mix.exs
index dc4a0e4e5..27fde9dac 100644
--- a/mix.exs
+++ b/mix.exs
@@ -1,7 +1,7 @@
defmodule Mobilizon.Mixfile do
use Mix.Project
- @version "4.0.1"
+ @version "4.0.2"
def project do
[
diff --git a/package.json b/package.json
index 77c88ae60..809abd5f2 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "mobilizon",
- "version": "4.0.1",
+ "version": "4.0.2",
"private": true,
"scripts": {
"dev": "vite",