Merge branch 'master' of git://github.com/diaspora/diaspora

Nighoo · Feb 15, 2016 · 0c22a45 · 0c22a45
2 parents f656657 + ad20bb0
commit 0c22a45
Show file tree

Hide file tree

Showing 48 changed files with 2,296 additions and 1,003 deletions.
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -1,22 +1,50 @@
 # Contributor Code of Conduct
 
-As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
 
-We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
 
 Examples of unacceptable behavior by participants include:
 
 * The use of sexualized language or imagery
 * Personal attacks
 * Trolling or insulting/derogatory comments
 * Public or private harassment
-* Publishing other's private information, such as physical or electronic addresses, without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team.
-
-This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior should be reported by sending an email to [[email protected]](mailto:[email protected]).
-
-This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting a project maintainer at [[email protected]](mailto:[email protected]). All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. Maintainers are
+obligated to maintain confidentiality with regard to the reporter of an
+incident.
+
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/
diff --git a/Changelog.md b/Changelog.md
@@ -1,3 +1,40 @@
+# 0.5.6.3
+
+Fix evil regression caused by Active Model no longer exposing
+`include_root_in_json` in instances.
+
+# 0.5.6.2
+
+* Fix [CVE-2016-0751](https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc) - Possible Object Leak and Denial of Service attack in Action Pack
+* Fix [CVE-2015-7581](https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE) - Object leak vulnerability for wildcard controller routes in Action Pack
+* Fix [CVE-2015-7576](https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k) - Timing attack vulnerability in basic authentication in Action Controller
+* Fix [CVE-2016-0752](https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00) - Possible Information Leak Vulnerability in Action View
+* Fix [CVE-2016-0753](https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ) - Possible Input Validation Circumvention in Active Model
+* Fix [CVE-2015-7577](https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g) - Nested attributes rejection proc bypass in Active Record
+* Fix [CVE-2015-7579](https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc) - XSS vulnerability in rails-html-sanitizer
+* Fix [CVE-2015-7578](https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI) - Possible XSS vulnerability in rails-html-sanitizer
+
+# 0.5.6.1
+
+* Fix Nokogiri CVE-2015-7499
+* Fix unsafe "Remember me" cookies in Devise
+
+# 0.5.6.0
+
+## Refactor
+* Add more integration tests with the help of the new diaspora-federation gem [#6539](https://github.com/diaspora/diaspora/pull/6539)
+
+## Bug fixes
+* Fix mention autocomplete when pasting the username [#6510](https://github.com/diaspora/diaspora/pull/6510)
+* Use and update updated\_at for notifications [#6573](https://github.com/diaspora/diaspora/pull/6573)
+* Ensure the author signature is checked when receiving a relayable [#6539](https://github.com/diaspora/diaspora/pull/6539)
+* Do not try to display hovercards when logged out [#6587](https://github.com/diaspora/diaspora/pull/6587)
+
+## Features
+
+* Display hovercards without aspect dropdown when logged out [#6603](https://github.com/diaspora/diaspora/pull/6603)
+* Add media.ccc.de as a trusted oEmbed endpoint
+
 # 0.5.5.1
 
 * Fix XSS on profile pages

diff --git a/Gemfile b/Gemfile
@@ -1,28 +1,28 @@
 source "https://rubygems.org"
 
-gem "rails", "4.2.5"
+gem "rails", "4.2.5.1"
 
 # Legacy Rails features, remove me!
 # responders (class level)
-gem "responders", "2.1.0"
+gem "responders", "2.1.1"
 
 # Appserver
 
-gem "unicorn", "4.9.0", require: false
+gem "unicorn", "5.0.1", require: false
 
 # Federation
 
-gem "diaspora_federation-rails", "0.0.8"
+gem "diaspora_federation-rails", "0.0.11"
 
 # API and JSON
 
 gem "acts_as_api", "0.4.2"
 gem "json",        "1.8.3"
-gem "json-schema", "2.5.1"
+gem "json-schema", "2.5.2"
 
 # Authentication
 
-gem "devise", "3.5.2"
+gem "devise", "3.5.4"
 gem "devise_lastseenable", "0.0.6"
 gem "devise-token_authenticatable", "~> 0.4.0"
 
@@ -56,21 +56,21 @@ gem "rack-cors", "0.4.0", require: "rack/cors"
 gem "bootstrap-sass", "2.3.2.2"
 gem "compass-rails",  "2.0.5"
 gem "sass-rails",     "5.0.4"
-gem "autoprefixer-rails", "6.0.3"
+gem "autoprefixer-rails", "6.2.2"
 
 # Database
 
 ENV["DB"] ||= "mysql"
 
 gem "mysql2", "0.3.20" if ENV["DB"] == "all" || ENV["DB"] == "mysql"
-gem "pg",     "0.18.3" if ENV["DB"] == "all" || ENV["DB"] == "postgres"
+gem "pg",     "0.18.4" if ENV["DB"] == "all" || ENV["DB"] == "postgres"
 
 gem "activerecord-import", "0.10.0"
 
 # File uploading
 
 gem "carrierwave", "0.10.0"
-gem "fog",         "1.34.0"
+gem "fog",         "1.37.0"
 gem "mini_magick", "4.3.6"
 gem "remotipart",  "1.2.1"
 
@@ -84,11 +84,11 @@ gem "entypo-rails", "2.2.3"
 # JavaScript
 
 gem "backbone-on-rails", "1.2.0.0"
-gem "handlebars_assets", "0.21.0"
+gem "handlebars_assets", "0.22.0"
 gem "jquery-rails",      "4.0.5"
 gem "jquery-ui-rails",   "5.0.5"
 gem "js_image_paths",    "0.0.2"
-gem "js-routes",         "1.1.2"
+gem "js-routes",         "1.2.0"
 
 source "https://rails-assets.org" do
   gem "rails-assets-jquery",                              "1.11.2" # Should be kept in sync with jquery-rails
@@ -100,14 +100,14 @@ source "https://rails-assets.org" do
   gem "rails-assets-markdown-it--markdown-it-for-inline", "0.1.1"
   gem "rails-assets-markdown-it-sub",                     "1.0.0"
   gem "rails-assets-markdown-it-sup",                     "1.0.0"
-  gem "rails-assets-highlightjs",                         "8.9.1"
+  gem "rails-assets-highlightjs",                         "9.0.0"
 
   # jQuery plugins
 
   gem "rails-assets-jeresig--jquery.hotkeys",       "0.2.0"
-  gem "rails-assets-jquery-placeholder",            "2.1.3"
+  gem "rails-assets-jquery-placeholder",            "2.3.1"
   gem "rails-assets-jquery-textchange",             "0.2.3"
-  gem "rails-assets-perfect-scrollbar",             "0.6.7"
+  gem "rails-assets-perfect-scrollbar",             "0.6.8"
   gem "rails-assets-jakobmattsson--jquery-elastic", "1.6.11"
 end
 
@@ -117,7 +117,7 @@ gem "facebox-rails", "0.2.0"
 
 gem "http_accept_language", "2.0.5"
 gem "i18n-inflector-rails", "1.0.7"
-gem "rails-i18n",           "4.0.5"
+gem "rails-i18n",           "4.0.8"
 
 # Mail
 
@@ -126,18 +126,18 @@ gem "messagebus_ruby_api", "1.0.3"
 
 # Parsing
 
-gem "nokogiri",          "1.6.7.1"
-gem "redcarpet",         "3.3.3"
+gem "nokogiri",          "1.6.7.2"
+gem "redcarpet",         "3.3.4"
 gem "twitter-text",      "1.13.0"
 gem "roxml",             "3.1.6"
-gem "ruby-oembed",       "0.8.14"
+gem "ruby-oembed",       "0.9.0"
 gem "open_graph_reader", "0.6.1"
 
 # Services
 
-gem "omniauth",           "1.2.2"
-gem "omniauth-facebook",  "2.0.1"
-gem "omniauth-tumblr",    "1.1"
+gem "omniauth",           "1.3.1"
+gem "omniauth-facebook",  "3.0.0"
+gem "omniauth-tumblr",    "1.2"
 gem "omniauth-twitter",   "1.2.1"
 gem "twitter",            "5.15.0"
 gem "omniauth-wordpress", "0.2.2"
@@ -148,7 +148,7 @@ gem "active_model_serializers", "0.9.3"
 
 # XMPP chat dependencies
 gem "diaspora-vines",             "~> 0.2.0.develop"
-gem "rails-assets-diaspora_jsxc", "~> 0.1.4.alpha", "< 0.1.4.develop", source: "https://rails-assets.org"
+gem "rails-assets-diaspora_jsxc", "~> 0.1.4", source: "https://rails-assets.org"
 
 # Tags
 
@@ -195,7 +195,7 @@ gem "minitest"
 group :production do # we don"t install these on travis to speed up test runs
   # Administration
 
-  gem "rails_admin", "0.7.0"
+  gem "rails_admin", "0.8.1"
 
   # Analytics
 
@@ -232,11 +232,11 @@ group :development do
 
   # Linters
   gem "jshintrb", "0.3.0"
-  gem "rubocop",  "0.34.2"
+  gem "rubocop",  "0.35.1"
 
   # Preloading environment
 
-  gem "spring", "1.4.0"
+  gem "spring", "1.6.1"
   gem "spring-commands-rspec", "1.0.4"
   gem "spring-commands-cucumber", "1.0.1"
 
@@ -246,7 +246,7 @@ group :development do
   gem "pry-byebug"
 
   # test coverage
-  gem "simplecov", "0.10.0", require: false
+  gem "simplecov", "0.11.1", require: false
 end
 
 group :test do
@@ -255,7 +255,7 @@ group :test do
   gem "fixture_builder",   "0.4.1"
   gem "fuubar",            "2.0.0"
   gem "rspec-instafail",   "0.4.0", require: false
-  gem "test_after_commit", "0.4.1"
+  gem "test_after_commit", "0.4.2"
 
   # Cucumber (integration tests)
 
@@ -267,8 +267,10 @@ group :test do
 
   gem "factory_girl_rails", "4.5.0"
   gem "timecop",            "0.8.0"
-  gem "webmock",            "1.22.1", require: false
-  gem "shoulda-matchers",   "3.0.0"
+  gem "webmock",            "1.22.3", require: false
+  gem "shoulda-matchers",   "3.0.1"
+
+  gem "diaspora_federation-test", "0.0.11"
 end
 
 group :development, :test do
@@ -279,7 +281,7 @@ group :development, :test do
   gem "cucumber-rails",     "1.4.2", require: false
 
   # Jasmine (client side application tests (JS))
-  gem "jasmine",                   "2.3.1"
+  gem "jasmine",                   "2.4.0"
   gem "jasmine-jquery-rails",      "2.0.3"
   gem "rails-assets-jasmine-ajax", "3.2.0", source: "https://rails-assets.org"
   gem "sinon-rails",               "1.15.0"