From 6c1bf5f860e9e0b1b119380affa1784dbcd5b57d Mon Sep 17 00:00:00 2001 From: Simon Brooke Date: Fri, 7 Jan 2022 11:16:47 +0000 Subject: [PATCH 1/2] Corrected all JavaScript security vulnerabilities except simplemde There doesn't (yet) seem to be a fix for the simplemde problem. --- .gitignore | 6 ++++++ project.clj | 12 ++++++------ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 95c58ff..80bed40 100644 --- a/.gitignore +++ b/.gitignore @@ -17,6 +17,12 @@ pom.xml.asc smeagol.log* /node_modules/ .DS_Store +.clj-kondo/ +.idea/ +.calva/ +.lsp +.eastwood +smeagol.iml resources/public/content/uploads/ diff --git a/project.clj b/project.clj index f3d5602..8fd9f73 100644 --- a/project.clj +++ b/project.clj @@ -50,13 +50,13 @@ [lein-npm "0.6.2"] [lein-ring "0.12.5" :exclusions [org.clojure/clojure]]] - :npm {:dependencies [[simplemde "1.11.2"] - [vega "5.8.0"] - [vega-embed "6.2.2"] - [vega-lite "4.1.1"] - [mermaid "8.4.6"] + :npm {:dependencies [[mermaid "8.13.8"] [photoswipe "4.1.3"] - [tablesort "5.2.0"]] + [simplemde "1.11.2"] + [tablesort "5.3.0"] + [vega "5.21.0"] + [vega-embed "6.20.5"] + [vega-lite "5.2.0"]] :root "resources/public/vendor"} :docker {:image-name "simonbrooke/smeagol" From ee7f1c0bdaf14d988c66f24163d08cdacfce32b8 Mon Sep 17 00:00:00 2001 From: Simon Brooke Date: Sun, 20 Feb 2022 12:00:03 +0000 Subject: [PATCH 2/2] This isn't perfect, but does solve the 'getting lost on login' issue. --- resources/templates/base.html | 3 +-- src/smeagol/routes/wiki.clj | 9 ++++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/resources/templates/base.html b/resources/templates/base.html index 01152af..6d11c9a 100644 --- a/resources/templates/base.html +++ b/resources/templates/base.html @@ -80,8 +80,7 @@
one wiki to rule them allOne Wiki to rule them all || - Smeagol wiki engine {{version}} || - The Web Engineering Factory & Toolworks Developed by WEFT + Smeagol wiki engine {{version}}
Built with LuminusWeb || diff --git a/src/smeagol/routes/wiki.clj b/src/smeagol/routes/wiki.clj index 27ec424..fa136f6 100644 --- a/src/smeagol/routes/wiki.clj +++ b/src/smeagol/routes/wiki.clj @@ -380,13 +380,14 @@ (or (show-sanity-check-error) (let [params (keywordize-keys (:params request)) + headers (keywordize-keys (:headers request)) form-params (keywordize-keys (:form-params request)) username (:username form-params) password (:password form-params) action (:action form-params) user (session/get :user) - redirect-to (:redirect-to params)] - (if redirect-to (log/info (str "After auth, redirect to: " redirect-to))) + redirect-to (or (:redirect-to params) (:referer headers))] + (when redirect-to (log/info (str "After auth, redirect to: " redirect-to))) (cond (= action (util/get-message :logout-label request)) (do @@ -418,7 +419,9 @@ ;; else merge a redirect target into the params (let [redirect-to (if (:uri request) - (cs/join "?" [(:uri request) (:query-string request)]))] + (cs/join "?" [(:uri request) (:query-string request)]) + ((:headers request) "referer"))] + (log/info "Setting redirect to '" redirect-to "'") (assoc-in request [:params :redirect-to] redirect-to)))))) (defn passwd-page