Commit Graph

128 Commits

Author SHA1 Message Date
Penar Musaraj 102909edb3 FEATURE: Add support for secure media (#7888)
This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. 

A few notes: 

- the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads
- the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured
- upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status
- when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error
- when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 11:25:42 +10:00
Arpit Jalan 6a417c308f FIX: include onebox default options in development environment 2019-11-07 15:42:53 +05:30
Arpit Jalan 00c406520e FEATURE: allow FinalDestination to use custom user agent for specific hosts 2019-11-07 14:47:51 +05:30
Arpit Jalan 72bc0f82b9 FIX: no need to pass `cache` option in onebox 2019-11-04 10:59:28 +05:30
Penar Musaraj f8b72d9835 DEV: Refactor excluding audio/video URLs from search result blurbs
Followup to 580a4a82
2019-10-31 09:13:24 -04:00
Nacho Caballero d5121e5ddb FIX: Add common HTML5 media extensions to onebox audio and video tags (#8216) 2019-10-21 12:10:40 -04:00
Krzysztof Kotlarek 427d54b2b0 DEV: Upgrading Discourse to Zeitwerk (#8098)
Zeitwerk simplifies working with dependencies in dev and makes it easier reloading class chains. 

We no longer need to use Rails "require_dependency" anywhere and instead can just use standard 
Ruby patterns to require files.

This is a far reaching change and we expect some followups here.
2019-10-02 14:01:53 +10:00
Penar Musaraj 3debdc8131 SECURITY: XSS when oneboxing user profile location field
The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
2019-09-17 16:12:50 -04:00
Sam Saffron 30990006a9 DEV: enable frozen string literal on all files
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.

Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Tim Lange 5a9dd923cc FIX: Onebox discourse user not respecting enable names (#7245) 2019-03-25 12:50:14 +05:30
Arpit Jalan e5fd018f44 DEV: assign constant to `preserve_fragment_url_hosts` 2018-12-19 17:37:39 +05:30
Arpit Jalan 1ab91f0474 FIX: preserve github fragment URL 2018-12-19 12:34:47 +05:30
Guo Xiang Tan a1e77aa2ed
FEATURE: Reimplement `SiteSetting.max_oneboxes_per_post`. (#6668)
Previously, the site setting was only effective on the client side of
things. Once the site setting was been reached, all oneboxes are not
rendered. This commit changes it such that the site setting is respected
both on the client and server side. The first N oneboxes are rendered and
once the limit has been reached, subsequent oneboxes will not be
rendered.
2018-11-27 16:00:31 +08:00
Bianca Nenciu 4e0533a20b FIX: Generate Onebox for posts of type moderator_action. (#6466) 2018-10-10 18:39:03 +08:00
Arpit Jalan fadcd36f92 FIX: do not treat ignore_redirects domains as blacklisted
This fix prevents domains present in `ignore_redirects` to be treated as
blacklisted domains and makes sure that onboxing happens for those domains.
Issue reported here: https://meta.discourse.org/t/steam-store-oneboxing-no-longer-works/97266
2018-09-18 10:38:02 +05:30
Bianca Nenciu b6963b8ffb FIX: Ignore OneBox blacklisted domains. 2018-08-27 20:40:55 +02:00
Guo Xiang Tan ad5082d969 Make rubocop happy again. 2018-06-07 13:28:18 +08:00
Régis Hanol 3c8b43bb01 FIX: non-oneboxed links on separate lines should stay on separate lines 2018-04-11 21:33:45 +02:00
Vinoth Kannan 58bb3967e5 SECURITY: Oneboxer should escape the URL before processing 2018-03-15 19:57:55 +05:30
Régis Hanol 3be0294465 FIX: local post onebox was always pointing to 1st post 2018-02-26 16:05:35 +01:00
Régis Hanol 7d7f6faf40 FIX: properly render emojis in local oneboxes 2018-02-26 11:16:53 +01:00
Régis Hanol 0799831dbe FIX: use the avatar of the post rather than the topic in local oneboxes 2018-02-20 19:49:39 +01:00
Régis Hanol 60ec483caa FIX: include title in local onebox when linking to a different topic 2018-02-19 22:40:14 +01:00
Régis Hanol 93b1829f04 tiny refactor 2018-02-16 11:21:11 +01:00
Sam cda3f72ab8 SECURITY: don't onebox whispers 2018-02-16 08:57:20 +11:00
Sam 57e140dc07 FIX: oneboxing to private messages 2018-02-16 08:00:22 +11:00
Régis Hanol 8e0da35857 FIX: allow local oneboxes to public topics/posts in PM 2018-02-15 18:14:41 +01:00
Sam f028ffaf29 SECURITY: correct local onebox category checks
Also removes ugly "source_topic_id" from cooked posts

Patch was authored by @zogstrip

Signed-off-by: Sam <sam.saffron@gmail.com>
2018-02-14 10:40:46 +11:00
Régis Hanol 8e55400392 FIX: add 'SiteSetting.port' to 'Onebox.allowed_ports' in development mode 2017-12-18 18:31:41 +01:00
Joffrey JAFFEUX 6cd8203686 FIX: allows onebox to force GET hosts returning wrong headers on HEAD 2017-08-08 11:44:27 +02:00
Guo Xiang Tan 5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Blake Erickson 6fc5ece628 FIX: onebox for dropbox video links not working
add dropbox to the list of ignore redirects for onebox links
2017-07-26 14:37:54 -06:00
Régis Hanol 9e03fae26c FIX: internal oneboxing wasn't working when login was required 2017-07-17 17:33:10 +02:00
Robin Ward db485ae0da FIX: Support for skipping redirects on certain domains (like steam) 2017-06-26 15:38:43 -04:00
Robin Ward 0de5d01d79 FIX: Onebox wasn't using correct uri 2017-06-06 16:39:15 -04:00
Robin Ward 369bb78f8e FIX: Support for cookies in onebox redirects 2017-06-06 15:02:11 -04:00
Robin Ward 4c690f7089 Use `FinalDestination` to ensure public redirects for onebox 2017-05-22 16:42:49 -04:00
David McClure b188c30925 FIX: Import scripts were failing to load onebox sanitize config 2017-02-25 09:27:42 -08:00
Régis Hanol ba115480ba FIX: wasn't extracting links to quoted posts 2017-02-06 14:45:04 +01:00
Guo Xiang Tan d10fe51b72 Fix broken specs since all urls will be oneboxed. 2017-01-06 10:05:51 +08:00
Régis Hanol b12b2b1911 change onebox preview key for me consistency 2016-12-20 11:18:47 +01:00
Régis Hanol 52cd9972bb FIX: prevent DDoS with lots of _oneboxable_ links
FIX: ensure the onebox route is only allowed to logged in users
FIX: only allow 1 outgoing onebox preview per user
FIX: client should only do 1 preview at a time
2016-12-20 00:31:10 +01:00
Régis Hanol a655e4b092 ensure we allow self oneboxing of login required sites 2016-11-03 22:48:32 +01:00
Régis Hanol 08d53b32ca let's try loading onebox engines this way 2016-10-25 01:25:44 +02:00
Régis Hanol 3841cd9a7f FEATURE: onebox everything by default
FEATURE: new 'max_oneboxes_per_post' site setting
FEATURE: change onebox whitelist to a blacklist
PERF: debounce the loading of oneboxes
PERF: improve perf of mention links in preview
FIX: sort loading of custom oneboxer
2016-10-24 12:46:22 +02:00
Robin Ward 0396b14b70
FEATURE: New "First Onebox" badge 2016-04-12 15:31:14 -04:00
Arpit Jalan f38abbe279 FIX: onebox links should respect nofollow settings 2015-12-04 01:59:12 +05:30
Sam 57870b970d correct hack and move to oneboxer 2015-09-25 20:14:53 +10:00
Sam 18a8853181 FIX: don't crash out searching for parent in oneboxer 2015-09-22 12:42:13 +10:00
Sam 88a5a676a7 lower error level on onebox failures 2015-08-24 10:43:07 +10:00
riking 5657006aca Rename handle_exception to handle_job_exception 2015-02-09 12:47:46 -08:00
riking d90404e830 Change 'code' to 'message' 2014-07-17 15:19:58 -07:00
Robin Ward fc20332c0f Lift all oneboxes out of `<p>` tags. 2014-07-04 16:09:51 -04:00
Robin Ward 7bb33c28c2 Add new `max_width` feature for oneboxes. Allows vimeo oneboxes to not
look like total garbage.
2014-06-05 13:18:18 -04:00
Sam 0bc3525b10 BUGFIX: more robust onebox implementation 2014-05-28 17:15:10 +10:00
Robin Ward b0405d7cfa Adds a Site Setting to whitelist onebox domains 2014-04-09 16:57:45 -04:00
Sam 239bcd19df BUGFIX: protect ourselved against rogue onebox gem 2014-04-01 15:29:14 +11:00
Sam 00a46253ae BUGFIX: Don't resolve oneboxes when cooking
Defer to post save job
2014-03-18 15:22:53 +11:00
Robin Ward cd7ef6b49a Revert "FIX: Bunch of Onebox issues"
This reverts commit ccbe671e4a.
2014-02-25 13:35:08 -05:00
Robin Ward ccbe671e4a FIX: Bunch of Onebox issues 2014-02-25 13:29:05 -05:00
Neil Lalonde d343e9f360 Add DiscourseLocalOnebox 2014-01-29 14:14:07 -05:00
Robin Ward e453bfa073 Work in progress: Swap out onebox code for onebox gem 2014-01-29 14:14:07 -05:00
Neil Lalonde 86647f0a54 Add ScreenedUrl. Rename BlockedEmail to ScreenedEmail. 2013-08-14 16:08:23 -04:00
Sam e4a76812a6 this is a slightly round about way of making our self oneboxes sane
shrunk avatar to 60px, added global whitelisting
2013-05-01 16:38:13 +10:00
Sam Saffron 94a578e4b2 ignore assets
fix runner so it works on mac
get rid of some test warnings
2013-04-30 12:43:59 +10:00
Sam 33e3ad1603 clean up onebox application so it uses a single code path
use fragments for oneboxes
strip parent <p> if <div> is in it
clean some tests
2013-04-10 17:52:38 +10:00
Robin Ward ee5213be5f Fixes regression with video embeds 2013-03-21 20:53:12 -04:00
Robin Ward babcfe6234 Cache oneboxes in Redis now instead of postgres. 2013-03-21 13:11:54 -04:00
Robin Ward 9d4ecd7ef8 Oneboxes should use a sorted array for ordering, not a hash. 2013-03-21 11:47:01 -04:00
Robin Ward 1221c393a3 Merge branch 'whitespace-cleanese' of git://github.com/goshakkk/discourse
Conflicts:
	lib/oneboxer.rb
	lib/oneboxer/whitelist.rb
	spec/controllers/robots_txt_controller_spec.rb
2013-02-26 10:42:49 -05:00
Gosha Arinich cafc75b238 remove trailing whitespaces ❤️ 2013-02-26 07:31:35 +03:00
tms 2e230d2661 Be more selective about when we allow oembed discovery 2013-02-25 20:48:17 -05:00
Robin Ward ba238f92c2 Revert "Merge branch 'onebox-safety' of git://github.com/tms/discourse"
This reverts commit 7ca57db97a, reversing
changes made to b7e027cfd1.
2013-02-19 14:22:13 -05:00
tms 6d06420583 Be more selective about when we allow oembed discovery 2013-02-19 11:46:36 -05:00
tms 702fbcdfa8 Oneboxes shouldn't explode when the remote causes an HTTPError 2013-02-17 04:10:17 -05:00
Jaime Iniesta 6995e75d41 Replace Hpricot with Nokogiri 2013-02-14 11:35:50 +01:00
Sam Saffron 0f88947279 fix onebox for your own site 2013-02-06 16:22:11 +11:00
Robin Ward 21b5628528 Initial release of Discourse 2013-02-05 14:16:51 -05:00