Skip to content

Releases: gollum/gollum

Release v5.3.2

01 May 18:44
@github-actions github-actions
v5.3.2
ce916a2
Compare
Choose a tag to compare
Release v5.3.2 Latest
Latest

5.3.2

Contributors

bartkamphorst
Assets 3

Release v5.3.1

20 Mar 16:35
@dometto dometto
v5.3.1
9de544d
Compare
Choose a tag to compare
Release v5.3.1

A backport of some fixes from the current development branch that make Gollum compatible with Ruby 3.2!

Work on Gollum 6.0 continues steadily, and we hope to be able to release it soon.

Assets 2

Release v5.3.0

25 May 09:27
@github-actions github-actions
v5.3.0
9c2f8df
Compare
Choose a tag to compare
Release v5.3.0

5.3.0 / 2022-05-24

  • Feature: allow for overriding only specific Mustache templates/partials (@beporter)
  • Feature: Add option to show browser's local time (@NikitaIvanovV)
  • Improvement: presentation on mobile devices (@benjaminwil)
  • Improvement: Add page context to template filter. #1603 (@tevino)
  • Fix: restore normalize check on file upload (@manofstick)
  • Fix mathjax on edit and create pages. #1772 (@fhchl)
  • Fix utf-8 issues: #1721 #1758 #1801 (@basking2, @dometto)
  • Fix an IME rendering issue. #1735 (@yy0931)
  • Fix broken history button when viewing historical deleted file. (@NikitaIvanovV)
  • Fix: non-ascii characters in page names are not rendered correctly in the preview tab of the "Edit" page. #1739 (@yy0931)
  • Fix: anchors and header display on JRuby. #1779

Contributors

dometto, basking2, and 7 other contributors
Assets 3

Release 5.1.2

15 Jul 08:42
@dometto dometto
v5.1.2
bfbfb21
Compare
Choose a tag to compare
Release 5.1.2

Gollum versions from 5.0 up to this release were vulnerable to CVE-2020-35305, a Cross-Site Scripting (XSS) vulnerability. Please update!

NB: this report has arrived late because it took about two years for a CVE to be reserved. 😢 Newer versions of Gollum have been released since, which are all unaffected by this vulnerability.

Description of the vulnerability

  • Vulnerability Type: Cross Site Scripting (XSS)
  • Affected Component: Gollum wiki's Overview and Pages.
  • Result: Run arbitrary JavaScript on Gollum's Overview and Pages pages.
  • Attack Vectors: Enter a maliciously crafted filename in the 'New Page' dialog
  • Discoverer: Tsubasa Umeuchi (@Szarny)

Reproducing the vulnerability

Filenames of the following form triggered the vulnerability on the Overview and Pages views: '<img src=x onerror=alert(1) />'.

Solution

We now sanitize displayed page names (137728c) and have added regression tests guarding against this and similar vulnerabilities. Thanks to @Szarny for the report!

Contributors

Szarny
Assets 2