From 0de00a4ac15bfa30fe209046136ca7c70558b0e0 Mon Sep 17 00:00:00 2001 From: Trenton H <797416+stumpylog@users.noreply.github.com> Date: Wed, 14 Feb 2024 17:14:33 -0800 Subject: [PATCH 1/4] Resets develop versioning --- src-ui/src/environments/environment.prod.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src-ui/src/environments/environment.prod.ts b/src-ui/src/environments/environment.prod.ts index aba3c9f7c..b029a8c5c 100644 --- a/src-ui/src/environments/environment.prod.ts +++ b/src-ui/src/environments/environment.prod.ts @@ -5,7 +5,7 @@ export const environment = { apiBaseUrl: document.baseURI + 'api/', apiVersion: '5', appTitle: 'Paperless-ngx', - version: '2.5.2', + version: '2.5.2-dev', webSocketHost: window.location.host, webSocketProtocol: window.location.protocol == 'https:' ? 'wss:' : 'ws:', webSocketBaseUrl: base_url.pathname + 'ws/', From f6ddcfa8395ca785d51bce75a6dfb8417cf075b0 Mon Sep 17 00:00:00 2001 From: MaciejSzczurek <117445547+MaciejSzczurek@users.noreply.github.com> Date: Thu, 15 Feb 2024 16:59:33 +0100 Subject: [PATCH 2/4] Moved ssl_mode parameter for mysql backend engine (#5771) --- src/paperless/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/paperless/settings.py b/src/paperless/settings.py index 163492b1e..2ccad849d 100644 --- a/src/paperless/settings.py +++ b/src/paperless/settings.py @@ -586,8 +586,8 @@ def _parse_db_settings() -> dict: options = { "read_default_file": "/etc/mysql/my.cnf", "charset": "utf8mb4", + "ssl_mode": os.getenv("PAPERLESS_DBSSLMODE", "PREFERRED"), "ssl": { - "ssl_mode": os.getenv("PAPERLESS_DBSSLMODE", "PREFERRED"), "ca": os.getenv("PAPERLESS_DBSSLROOTCERT", None), "cert": os.getenv("PAPERLESS_DBSSLCERT", None), "key": os.getenv("PAPERLESS_DBSSLKEY", None), From 8d664fad568516369a9e86de4b0f4cbd467aaacb Mon Sep 17 00:00:00 2001 From: Trenton H <797416+stumpylog@users.noreply.github.com> Date: Thu, 15 Feb 2024 09:33:26 -0800 Subject: [PATCH 3/4] Fixes the interaction when both splitting and ASN are enabled (#5779) --- src/documents/barcodes.py | 8 +++----- src/documents/tests/test_barcodes.py | 6 +++++- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/src/documents/barcodes.py b/src/documents/barcodes.py index fe1e94b8a..e68ba4f8c 100644 --- a/src/documents/barcodes.py +++ b/src/documents/barcodes.py @@ -100,11 +100,9 @@ class BarcodePlugin(ConsumeTaskPlugin): logger.info(f"Found tags in barcode: {tags}") # Lastly attempt to split documents - if settings.CONSUMER_ENABLE_BARCODES: - - separator_pages = self.get_separation_pages() - if not separator_pages: - return "No pages to split on!" + if settings.CONSUMER_ENABLE_BARCODES and ( + separator_pages := self.get_separation_pages() + ): # We have pages to split against diff --git a/src/documents/tests/test_barcodes.py b/src/documents/tests/test_barcodes.py index 732c2e167..2f4f5cd39 100644 --- a/src/documents/tests/test_barcodes.py +++ b/src/documents/tests/test_barcodes.py @@ -15,6 +15,7 @@ from documents.data_models import ConsumableDocument from documents.data_models import DocumentMetadataOverrides from documents.data_models import DocumentSource from documents.models import Tag +from documents.plugins.base import StopConsumeTaskError from documents.tests.utils import DirectoriesMixin from documents.tests.utils import DocumentConsumeDelayMixin from documents.tests.utils import DummyProgressManager @@ -415,7 +416,10 @@ class TestBarcode( test_file = self.SAMPLE_DIR / "simple.pdf" with self.get_reader(test_file) as reader: - self.assertEqual("No pages to split on!", reader.run()) + try: + reader.run() + except StopConsumeTaskError: + self.fail("Barcode reader split pages unexpectedly") @override_settings( CONSUMER_ENABLE_BARCODES=True, From f1049cf889ade44c754f4d7254f62f000b99f0b3 Mon Sep 17 00:00:00 2001 From: shamoon <4887959+shamoon@users.noreply.github.com> Date: Thu, 15 Feb 2024 16:37:34 -0800 Subject: [PATCH 4/4] Fix: dont allow allauth redirects to any host (#5783) --------- Co-authored-by: Trenton H <797416+stumpylog@users.noreply.github.com> --- src/paperless/adapter.py | 16 +++++++++++++++ src/paperless/tests/test_adapter.py | 30 +++++++++++++++++++++++++++++ src/paperless/urls.py | 2 +- 3 files changed, 47 insertions(+), 1 deletion(-) diff --git a/src/paperless/adapter.py b/src/paperless/adapter.py index 98b0f11ba..40f95bf30 100644 --- a/src/paperless/adapter.py +++ b/src/paperless/adapter.py @@ -1,4 +1,5 @@ from allauth.account.adapter import DefaultAccountAdapter +from allauth.core import context from allauth.socialaccount.adapter import DefaultSocialAccountAdapter from django.conf import settings from django.urls import reverse @@ -10,6 +11,21 @@ class CustomAccountAdapter(DefaultAccountAdapter): # Override with setting, otherwise default to super. return getattr(settings, "ACCOUNT_ALLOW_SIGNUPS", allow_signups) + def is_safe_url(self, url): + # see https://github.com/paperless-ngx/paperless-ngx/issues/5780 + from django.utils.http import url_has_allowed_host_and_scheme + + # get_host already validates the given host, so no need to check it again + allowed_hosts = {context.request.get_host()} | set(settings.ALLOWED_HOSTS) + + if "*" in allowed_hosts: + # dont allow wildcard to allow urls from any host + allowed_hosts.remove("*") + allowed_hosts.add(context.request.get_host()) + return url_has_allowed_host_and_scheme(url, allowed_hosts=allowed_hosts) + + return url_has_allowed_host_and_scheme(url, allowed_hosts=allowed_hosts) + class CustomSocialAccountAdapter(DefaultSocialAccountAdapter): def is_open_for_signup(self, request, sociallogin): diff --git a/src/paperless/tests/test_adapter.py b/src/paperless/tests/test_adapter.py index ca79cbce0..f07e0b422 100644 --- a/src/paperless/tests/test_adapter.py +++ b/src/paperless/tests/test_adapter.py @@ -1,7 +1,12 @@ +from unittest import mock + from allauth.account.adapter import get_adapter +from allauth.core import context from allauth.socialaccount.adapter import get_adapter as get_social_adapter from django.conf import settings +from django.http import HttpRequest from django.test import TestCase +from django.test import override_settings from django.urls import reverse @@ -17,6 +22,31 @@ class TestCustomAccountAdapter(TestCase): settings.ACCOUNT_ALLOW_SIGNUPS = False self.assertFalse(adapter.is_open_for_signup(None)) + def test_is_safe_url(self): + request = HttpRequest() + request.get_host = mock.Mock(return_value="example.com") + with context.request_context(request): + adapter = get_adapter() + with override_settings(ALLOWED_HOSTS=["*"]): + + # True because request host is same + url = "https://example.com" + self.assertTrue(adapter.is_safe_url(url)) + + url = "https://evil.com" + # False despite wildcard because request host is different + self.assertFalse(adapter.is_safe_url(url)) + + settings.ALLOWED_HOSTS = ["example.com"] + url = "https://example.com" + # True because request host is same + self.assertTrue(adapter.is_safe_url(url)) + + settings.ALLOWED_HOSTS = ["*", "example.com"] + url = "//evil.com" + # False because request host is not in allowed hosts + self.assertFalse(adapter.is_safe_url(url)) + class TestCustomSocialAccountAdapter(TestCase): def test_is_open_for_signup(self): diff --git a/src/paperless/urls.py b/src/paperless/urls.py index 0419b8e66..142f2792d 100644 --- a/src/paperless/urls.py +++ b/src/paperless/urls.py @@ -193,6 +193,7 @@ urlpatterns = [ RedirectView.as_view( url=settings.STATIC_URL + "frontend/en-US/assets/%(path)s", ), + # TODO: with localization, this is even worse! :/ ), # App logo re_path( @@ -200,7 +201,6 @@ urlpatterns = [ serve, kwargs={"document_root": os.path.join(settings.MEDIA_ROOT, "logo")}, ), - # TODO: with localization, this is even worse! :/ # login, logout path("accounts/", include("allauth.urls")), # Root of the Frontend