Redmine 4.1.7

2023-07-07 08:08:27 +02:00 · 2023-07-07 08:08:27 +02:00 · 3ca3c37487
commit 3ca3c37487
parent 55458d3479
103 changed files with 2426 additions and 431 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@ -297,6 +297,7 @@ class AccountController < ApplicationController
      :value => token,
      :expires => 1.year.from_now,
      :path => (Redmine::Configuration['autologin_cookie_path'] || RedmineApp::Application.config.relative_url_root || '/'),
+      :same_site => :lax,
      :secure => secure,
      :httponly => true
    }
--- a/app/controllers/activities_controller.rb
+++ b/app/controllers/activities_controller.rb
@ -33,7 +33,7 @@ class ActivitiesController < ApplicationController
    @date_from = @date_to - @days
    @with_subprojects = params[:with_subprojects].nil? ? Setting.display_subprojects_issues? : (params[:with_subprojects] == '1')
    if params[:user_id].present?
-      @author = User.active.find(params[:user_id])
+      @author = User.visible.active.find(params[:user_id])
    end

    @activity = Redmine::Activity::Fetcher.new(User.current, :project => @project,
@ -55,7 +55,12 @@ class ActivitiesController < ApplicationController
      end
    end

-    events = @activity.events(@date_from, @date_to)
+    events =
+      if params[:format] == 'atom'
+        @activity.events(nil, nil, :limit => Setting.feeds_limit.to_i)
+      else
+        @activity.events(@date_from, @date_to)
+      end

    if events.empty? || stale?(:etag => [@activity.scope, @date_to, @date_from, @with_subprojects, @author, events.first, events.size, User.current, current_language])
      respond_to do |format|
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@ -101,7 +101,7 @@ class AttachmentsController < ApplicationController
      return
    end

-    @attachment = Attachment.new(:file => request.raw_post)
+    @attachment = Attachment.new(:file => raw_request_body)
    @attachment.author = User.current
    @attachment.filename = params[:filename].presence || Redmine::Utils.random_hex(16)
    @attachment.content_type = params[:content_type].presence
@ -265,4 +265,14 @@ class AttachmentsController < ApplicationController
  def update_all_params
    params.permit(:attachments => [:filename, :description]).require(:attachments)
  end
+
+  # Get an IO-like object for the request body which is usable to create a new
+  # attachment. We try to avoid having to read the whole body into memory.
+  def raw_request_body
+    if request.body.respond_to?(:size)
+      request.body
+    else
+      request.raw_post
+    end
+  end
 end
--- a/app/controllers/mail_handler_controller.rb
+++ b/app/controllers/mail_handler_controller.rb
@ -18,6 +18,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

 class MailHandlerController < ActionController::Base
+  include ActiveSupport::SecurityUtils
+
  before_action :check_credential

  # Displays the email submission form
@ -39,7 +41,7 @@ class MailHandlerController < ActionController::Base

  def check_credential
    User.current = nil
-    unless Setting.mail_handler_api_enabled? && params[:key].to_s == Setting.mail_handler_api_key
+    unless Setting.mail_handler_api_enabled? && secure_compare(params[:key].to_s, Setting.mail_handler_api_key.to_s)
      render :plain => 'Access denied. Incoming emails WS is disabled or key is invalid.', :status => 403
    end
  end
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@ -307,7 +307,7 @@ class RepositoriesController < ApplicationController
    render_404
  end

-  REV_PARAM_RE = %r{\A[a-f0-9]*\Z}i
+  REV_PARAM_RE = %r{\A[a-f0-9]*\z}i

  def find_project_repository
    @project = Project.find(params[:id])
@ -318,14 +318,12 @@ class RepositoriesController < ApplicationController
    end
    (render_404; return false) unless @repository
    @path = params[:path].is_a?(Array) ? params[:path].join('/') : params[:path].to_s
-    @rev = params[:rev].blank? ? @repository.default_branch : params[:rev].to_s.strip
-    @rev_to = params[:rev_to]

-    unless REV_PARAM_RE.match?(@rev.to_s) && REV_PARAM_RE.match?(@rev_to.to_s)
-      if @repository.branches.blank?
-        raise InvalidRevisionParam
-      end
-    end
+    @rev = params[:rev].to_s.strip.presence || @repository.default_branch
+    raise InvalidRevisionParam unless valid_name?(@rev)
+
+    @rev_to = params[:rev_to].to_s.strip.presence
+    raise InvalidRevisionParam unless valid_name?(@rev_to)
  rescue ActiveRecord::RecordNotFound
    render_404
  rescue InvalidRevisionParam
@ -410,4 +408,11 @@ class RepositoriesController < ApplicationController
      'attachment'
    end
  end
+
+  def valid_name?(rev)
+    return true if rev.nil?
+    return true if REV_PARAM_RE.match?(rev)
+
+    @repository ? @repository.valid_name?(rev) : true
+  end
 end
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@ -63,7 +63,7 @@ class SearchController < ApplicationController
      @object_types = @object_types.select {|o| User.current.allowed_to?("view_#{o}".to_sym, projects_to_search)}
    end

-    @scope = @object_types.select {|t| params[t]}
+    @scope = @object_types.select {|t| params[t].present?}
    @scope = @object_types if @scope.empty?

    fetcher = Redmine::Search::Fetcher.new(
--- a/app/controllers/sys_controller.rb
+++ b/app/controllers/sys_controller.rb
@ -18,6 +18,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

 class SysController < ActionController::Base
+  include ActiveSupport::SecurityUtils
+
  before_action :check_enabled

  def projects
@ -76,7 +78,7 @@ class SysController < ActionController::Base

  def check_enabled
    User.current = nil
-    unless Setting.sys_api_enabled? && params[:key].to_s == Setting.sys_api_key
+    unless Setting.sys_api_enabled? && secure_compare(params[:key].to_s, Setting.sys_api_key.to_s)
      render :plain => 'Access denied. Repository management WS is disabled or key is invalid.', :status => 403
      return false
    end
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@ -134,7 +134,9 @@ class WatchersController < ApplicationController

  def find_objets_from_params
    klass = Object.const_get(params[:object_type].camelcase) rescue nil
-    return unless klass && klass.respond_to?('watched_by')
+    return unless klass && Class === klass # rubocop:disable Style/CaseEquality
+    return unless klass < ActiveRecord::Base
+    return unless klass < Redmine::Acts::Watchable::InstanceMethods

    scope = klass.where(:id => Array.wrap(params[:object_id]))
    if klass.reflect_on_association(:project)
--- a/app/controllers/wiki_controller.rb
+++ b/app/controllers/wiki_controller.rb
@ -44,8 +44,6 @@ class WikiController < ApplicationController
  helper :watchers
  include Redmine::Export::PDF

-  include ActionView::Helpers::SanitizeHelper
-
  # List of pages, sorted alphabetically and by parent (hierarchy)
  def index
    load_pages_for_index
@ -91,7 +89,7 @@ class WikiController < ApplicationController
    end
    @content = @page.content_for_version(params[:version])
    if @content.nil?
-      if User.current.allowed_to?(:edit_wiki_pages, @project) && editable? && !api_request?
+      if params[:version].blank? && User.current.allowed_to?(:edit_wiki_pages, @project) && editable? && !api_request?
        edit
        render :action => 'edit'
      else
@ -111,7 +109,7 @@ class WikiController < ApplicationController
        send_data(export, :type => 'text/html', :filename => filename_for_content_disposition("#{@page.title}.html"))
        return
      elsif params[:format] == 'txt'
-        send_data(strip_tags(@content.text), :type => 'text/plain', :filename => filename_for_content_disposition("#{@page.title}.txt"))
+        send_data(@content.text, :type => 'text/plain', :filename => filename_for_content_disposition("#{@page.title}.txt"))
        return
      end
    end