Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-21 10:54:10 +08:00
Code Packages Activity Actions
discourse/spec
History
Exact
Kelv b9363494d4
FIX: invalid CSP directive sources should allow site to boot with valid CSP directives (stable) (#31270) 
[Security
patch](5558e72f22)
(for this [CVE](https://nvd.nist.gov/vuln/detail/CVE-2024-54133)) from
rails actionpack was backported from [Rails
8.0.0.1](https://github.com/rails/rails/blob/v8.0.1/actionpack/CHANGELOG.md#rails-8001-december-10-2024)
to previous stable versions including `7-1-stable` / `7-2-stable`.

Any previous version of Discourse upgrading to v3.4.0.beta3 and above
would have observed their sites crashing if they had invalid sources in
their CSP directive extensions.

This fix removes such invalid sources during our build of the CSP, and
logs these at a warning level so devs are able to find out why their CSP
sources were filtered out of the extendable directives.
2025-02-11 11:51:01 +08:00
..
fabricators FEATURE: Improve wizard quality and rearrange steps (#30055) 2025-01-02 09:28:23 +10:00
fixtures FIX: invalid CSP directive sources should allow site to boot with valid CSP directives (stable) (#31270) 2025-02-11 11:51:01 +08:00
generator DEV: Silence the output of migration specs (#26365) 2024-03-26 11:32:44 +01:00
helpers SECURITY: Preload data only when rendering application layout 2025-02-04 13:32:30 -03:00
import_export DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
initializers DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
integration SECURITY: When enabled only allow Discourse Connect logins 2024-12-19 13:13:23 -03:00
integrity DEV: Add spec to ensure app works with multiple tagged loggers 2024-08-13 18:10:03 +02:00
jobs UX: Remove loading="lazy" from avatars for improved UX (#30897) 2025-01-21 14:06:45 +00:00
lib FIX: invalid CSP directive sources should allow site to boot with valid CSP directives (stable) (#31270) 2025-02-11 11:51:01 +08:00
mailers FEATURE: add support for One-Click unsubscribe (RFC 8058) 2024-12-31 15:28:59 +01:00
migrations DEV: update fa6 icons to drop fa prefix (#30100) 2024-12-05 10:00:41 +08:00
models DEV: Resolve flaky trust_level spec (#31165) 2025-02-04 13:46:31 +00:00
multisite FIX: Include original filename in s3 uploads even if not attachment (#30789) 2025-01-15 18:08:18 +08:00
requests SECURITY: Limit /inline-onebox to 10 URLs at a time 2025-02-04 13:32:53 -03:00
script/import_scripts DEV: Catch missing translations during test runs (#26258) 2024-05-24 22:15:53 +08:00
serializers FEATURE: Multiple Draft Topics (#30790) 2025-01-29 10:23:26 +04:00
services PERF: Enqueue Job::BackfillBadge in Jobs::BadgeGrant (#30945) 2025-01-24 09:35:01 +08:00
support DEV: Remove invalid parsing options (#30545) 2025-01-03 13:17:49 +01:00
system FIX: invalid CSP directive sources should allow site to boot with valid CSP directives (stable) (#31270) 2025-02-11 11:51:01 +08:00
tasks DEV: Fix constant redefinition warnings when running specs (#29837) 2024-11-20 15:17:36 +11:00
views FEATURE: Simplify crawler content for non-canonical post URLs (#26324) 2024-03-26 15:18:46 +00:00
rails_helper.rb DEV: Add base admin page page object (#30814) 2025-01-16 12:52:41 +08:00
regenerate_swagger_docs
swagger_helper.rb DEV: Bump rswag-specs from 2.11.0 to 2.13.0 (#24654) 2023-12-07 08:16:47 +08:00