Add v3.42.8

README.md

@@ -9,8 +9,7 @@ I documented my installation process, with additional steps to add Sendgrid, SSL
 In any case I suggest forking my repository into your own, this to avoid changes I make to my repository to negatively impact your installation.
 
 ### One-click deploy
-[![Deploy to Azure](https://azuredeploy.net/deploybutton.png)](https://azuredeploy.net/)
-[![Visualize](http://armviz.io/visualizebutton.png)](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FYannickRe%2FGhost-Azure%2Fazure%2Fazuredeploy.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FYannickRe%2FGhost-Azure%2Fmaster%2Fazuredeploy.json)
 
 ### Azure App Service Deployment Center
 More info on [Microsoft Docs](https://docs.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment#deploy-continuously-from-github)

azuredeploy.json

@@ -8,9 +8,6 @@
  "hostingPlanName": {
  "type": "string"
  },
- "siteLocation": {
- "type": "string"
- },
  "sku": {
  "type": "string",
  "allowedValues": [
@@ -56,10 +53,12 @@
  "defaultValue": ""
  },
  "repoUrl": {
- "type": "string"
+ "type": "string",
+ "defaultValue": "https://github.com/<<PutYourGitHubUserHere>>/Ghost-Azure"
  },
  "branch": {
- "type": "string"
+ "type": "string",
+ "defaultValue": "master"
  }
  },
  "variables": {
@@ -71,7 +70,7 @@
  {
  "name": "[parameters('hostingPlanName')]",
  "type": "Microsoft.Web/serverfarms",
- "location": "[parameters('siteLocation')]",
+ "location": "[resourceGroup().location]",
  "apiVersion": "2018-02-01",
  "sku": {
  "name": "[variables('sku')]"
@@ -85,7 +84,7 @@
  {
  "name": "[parameters('siteName')]",
  "type": "Microsoft.Web/sites",
- "location": "[parameters('siteLocation')]",
+ "location": "[resourceGroup().location]",
  "apiVersion": "2018-11-01",
  "dependsOn": [
  "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
@@ -152,7 +151,7 @@
  {
  "name": "[variables('appInsightsName')]",
  "type": "Microsoft.Insights/components",
- "location": "[parameters('siteLocation')]",
+ "location": "[resourceGroup().location]",
  "apiVersion": "2014-04-01",
  "condition": "[parameters('Deploy App Insights')]",
  "dependsOn": [
@@ -167,4 +166,4 @@
  }
  }
  ]
-}
+}

core/frontend/helpers/url.js

@@ -11,7 +11,12 @@ module.exports = function url(options) {
  const absolute = options && options.hash.absolute && options.hash.absolute !== 'false';
  let outputUrl = getMetaDataUrl(this, absolute);
 
- outputUrl = encodeURI(decodeURI(outputUrl));
+ try {
+ outputUrl = encodeURI(decodeURI(outputUrl));
+ } catch (err) {
+ // Happens when the outputURL contains an invalid URI character like "%%" or "%80"
+ return new SafeString('');
+ }
 
  return new SafeString(outputUrl);
 };

core/server/services/oembed.js

@@ -85,6 +85,8 @@ class OEmbed {
  }
 
  async fetchBookmarkData(url) {
+ // Metascraper doesn't handle leading/trailing whitespace
+ url = url.trim();
  const metascraper = require('metascraper')([
  require('metascraper-url')(),
  require('metascraper-title')(),
@@ -154,6 +156,10 @@ class OEmbed {
  }
 
  fetchOembedData(_url, cardType) {
+ // Trimming solves the difference of url validation between `new URL(url)`
+ // and metascraper.
+ _url = _url.trim();
+
  // parse the url then validate the protocol and host to make sure it's
  // http(s) and not an IP address or localhost to avoid potential access to
  // internal network endpoints

core/server/web/site/middleware/handle-image-sizes.js

@@ -1,5 +1,6 @@
 const _ = require('lodash');
 const path = require('path');
+const {GhostError} = require('@tryghost/errors');
 const imageTransform = require('@tryghost/image-transform');
 const storage = require('../../../adapters/storage');
 const activeTheme = require('../../../../frontend/services/themes/active');
@@ -100,6 +101,12 @@ module.exports = function (req, res, next) {
  return storageInstance.read({path: storagePath});
  })
  .then((originalImageBuffer) => {
+ if (originalImageBuffer.length <= 0) {
+ throw new GhostError({
+ errorType: 'NoContentError',
+ statusCode: 204
+ });
+ }
  return imageTransform.resizeFromBuffer(originalImageBuffer, imageDimensionConfig);
  })
  .then((resizedImageBuffer) => {
@@ -108,7 +115,7 @@ module.exports = function (req, res, next) {
  }).then(() => {
  next();
  }).catch(function (err) {
- if (err.code === 'SHARP_INSTALLATION') {
+ if (err.code === 'SHARP_INSTALLATION' || err.code === 'IMAGE_PROCESSING' || err.errorType === 'NoContentError') {
  return redirectToOriginal();
  }
  next(err);

package.json

@@ -1,6 +1,6 @@
 {
  "name": "ghost",
- "version": "3.42.7",
+ "version": "3.42.8",
  "description": "The professional publishing platform",
  "author": "Ghost Foundation",
  "homepage": "https://ghost.org",

web.config

@@ -42,11 +42,16 @@
  </rewrite>
  <httpProtocol>
  <customHeaders>
- <remove name="X-Powered-By" />
+ <add name="X-Frame-Options" value="SAMEORIGIN"/>
+ <add name="X-Content-Type-Options" value="nosniff"/>
+ <add name="Content-Security-Policy" value="upgrade-insecure-requests; base-uri 'self'; frame-ancestors 'self'; form-action 'self'; object-src 'none';"/>
+ <add name="Permissions-Policy" value="accelerometer=(self), camera=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), payment=(self), usb=(self)" />
+ <add name="Referrer-Policy" value="strict-origin-when-cross-origin"/>
+ <remove name="X-Powered-By" />
  </customHeaders>
  </httpProtocol>
  <security>
  <requestFiltering removeServerHeader="true" />
  </security>
  </system.webServer>
-</configuration>
+</configuration>