Merge branch 'master' into Develop

# Conflicts: # test/Calibre-Web TestSummary_Linux.html
2022-01-25 19:33:21 +01:00 · 2022-01-25 19:33:21 +01:00 · d9d6fb33ba
parent 128db26301 17b4643b7c
commit d9d6fb33ba
6 changed files with 18 additions and 14 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -29,6 +29,9 @@ To receive fixes for security vulnerabilities it is required to always upgrade t
 | V 0.6.15      | Cross-Site Scripting vulnerability on uploaded cover file names. Thanks to @ibarrionuevo                           ||
 | V 0.6.15      | Creating public shelfs is now denied if user is missing the edit public shelf right. Thanks to @ibarrionuevo       ||
 | V 0.6.15      | Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo                    ||
+| V 0.6.16      | JavaScript could get executed on authors page. Thanks to @alicaz                                                   ||
+| V 0.6.16      | Localhost can no longer be used to upload covers. Thanks to @scara31                                               ||
+| V 0.6.16      | Another case where public shelfs could be created without permission is prevented. Thanks to @ibarrionuevo         ||


 ## Staement regarding Log4j (CVE-2021-44228 and related)
--- a/cps/constants.py
+++ b/cps/constants.py
@ -151,7 +151,7 @@ def selected_roles(dictionary):
 BookMeta = namedtuple('BookMeta', 'file_path, extension, title, author, cover, description, tags, series, '
                                  'series_id, languages, publisher')

-STABLE_VERSION = {'version': '0.6.16 Beta'}
+STABLE_VERSION = {'version': '0.6.17 Beta'}

 NIGHTLY_VERSION = {}
 NIGHTLY_VERSION[0] = '$Format:%H$'
--- a/cps/static/js/caliBlur.js
+++ b/cps/static/js/caliBlur.js
@ -270,7 +270,7 @@ if ($("body.book").length > 0) {

            if (position + $("#add-to-shelves").width() > $(window).width()) {
                positionOff = position + $("#add-to-shelves").width() - $(window).width();
-                adsPosition = position - positionOff - 5
+                adsPosition = position - positionOff - 5;
                $("#add-to-shelves").attr("style", "left: " + adsPosition + "px !important; right: auto;  top: " + topPos + "px");
            } else {
                $("#add-to-shelves").attr("style", "left: " + position + "px !important; right: auto;  top: " + topPos + "px");
@ -429,7 +429,7 @@ if($("body.advsearch").length > 0) {

          if (position + $("#add-to-shelves").width() > $(window).width()) {
              positionOff = position + $("#add-to-shelves").width() - $(window).width();
-              adsPosition = position - positionOff - 5
+              adsPosition = position - positionOff - 5;
              $("#add-to-shelves").attr("style", "left: " + adsPosition + "px !important; right: auto;  top: " + topPos + "px");
          } else {
              $("#add-to-shelves").attr("style", "left: " + position + "px !important; right: auto;  top: " + topPos + "px");
@ -479,12 +479,12 @@ if ($.trim($("#add-to-shelves").html()).length === 0) {
    $("#add-to-shelf").addClass("empty-ul");
 }

-shelfLength = $("#add-to-shelves li").length
-emptyLength = 0
+shelfLength = $("#add-to-shelves li").length;
+emptyLength = 0;

 $("#add-to-shelves").on("click", "li a", function () {
    console.log("#remove-from-shelves change registered");
-    emptyLength++
+    emptyLength++;

    setTimeout(function () {
        if (emptyLength >= shelfLength) {
--- a/cps/static/js/details.js
+++ b/cps/static/js/details.js
@ -59,10 +59,10 @@ $("#archived_cb").on("change", function() {
        )
    };

-    $("#shelf-actions").on("click", "[data-shelf-action]", function (e) {
+    $("#add-to-shelves, #remove-from-shelves").on("click", "[data-shelf-action]", function (e) {
        e.preventDefault();
        $.ajax({
-                url: this.href,
+                url: $(this).data('href'),
                method:"post",
                data: {csrf_token:$("input[name='csrf_token']").val()},
            })
@ -72,7 +72,7 @@ $("#archived_cb").on("change", function() {
                    case "add":
                        $("#remove-from-shelves").append(
                            templates.remove({
-                                add: this.href,
+                                add: $this.data('href'),
                                remove: $this.data("remove-href"),
                                content: $("<div>").text(this.textContent).html()
                            })
@ -82,7 +82,7 @@ $("#archived_cb").on("change", function() {
                        $("#add-to-shelves").append(
                            templates.add({
                                add: $this.data("add-href"),
-                                remove: this.href,
+                                remove: $this.data('href'),
                                content: $("<div>").text(this.textContent).html(),
                            })
                        );
--- a/cps/templates/detail.html
+++ b/cps/templates/detail.html
@ -260,7 +260,7 @@
            {% for shelf in g.shelves_access %}
              {% if not shelf.id in books_shelfs and ( not shelf.is_public or g.user.role_edit_shelfs() ) %}
                <li>
-                  <a href="{{ url_for('shelf.add_to_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
+                  <a data-href="{{ url_for('shelf.add_to_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
                     data-remove-href="{{ url_for('shelf.remove_from_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
                     data-shelf-action="add"
                  >
@ -275,7 +275,7 @@
          {% if books_shelfs %}
            {% for shelf in g.shelves_access %}
              {% if shelf.id in books_shelfs %}
-                <a href="{{ url_for('shelf.remove_from_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
+                <a data-href="{{ url_for('shelf.remove_from_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
                   data-add-href="{{ url_for('shelf.add_to_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
                   class="btn btn-sm btn-default" role="button" data-shelf-action="remove"
                >
@ -309,13 +309,13 @@
 {% block js %}
 <script type="text/template" id="template-shelf-add">
  <li>
-    <a href="<%= add %>" data-remove-href="<%= remove %>" data-shelf-action="add">
+    <a data-href="<%= add %>" data-remove-href="<%= remove %>" data-shelf-action="add">
      <%= content %>
    </a>
  </li>
 </script>
 <script type="text/template" id="template-shelf-remove">
-  <a href="<%= remove %>" data-add-href="<%= add %>" class="btn btn-sm btn-default" data-shelf-action="remove">
+  <a data-href="<%= remove %>" data-add-href="<%= add %>" class="btn btn-sm btn-default" data-shelf-action="remove">
    <span class="glyphicon glyphicon-remove"></span> <%= content %>
  </a>
 </script>
--- a/cps/templates/search.html
+++ b/cps/templates/search.html
@ -9,6 +9,7 @@
      {% if g.user.is_authenticated %}
        {% if g.user.shelf.all() or g.shelves_access %}
          <div id="shelf-actions" class="btn-toolbar" role="toolbar">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
            <div class="btn-group" role="group" aria-label="Add to shelves">
              <button id="add-to-shelf" type="button" class="btn btn-primary btn-sm dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                <span class="glyphicon glyphicon-list"></span> {{_('Add to shelf')}}