Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-03-11 02:12:21 -05:00
Code Issues Activity
ghost/core/server
History
Daniel Lockyer 93e4b2eafd 🔒 Fixed remote command injection when using sendmail email transport 
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-wfrj-qqc2-83cm
refs https://github.com/advisories/GHSA-48ww-j4fc-435p

- a vulnerability in `nodemailer` means that the `sendmail` transport is
  vulnerable to command injection for flags passed to the `sendmail`
  binary
- updating to the latest version of Nodemailer required creating
  `@tryghost/nodemailer`, which is a wrapper around Nodemailer and
  several plugins that used to be in the core
- this commit switches to using that package, and fixes up some small
  code + test changes
2021-09-17 16:46:51 +01:00
..
adapters Swapped to American English spellings 2021-07-27 12:15:19 +04:00
api Removed method complexity in webhooks API controller 2021-09-17 10:11:23 +03:00
data fixup! Refactored migration to run faster 2021-09-17 16:33:14 +01:00
lib Blocked 0.* IP addresses when making oembed requests 2021-09-14 11:35:14 +01:00
models Added temporary database table for analytic events (#13312) 2021-09-17 11:15:21 +02:00
public Added /email/ route to robots.txt 2021-08-10 13:45:53 +04:00
services 🔒 Fixed remote command injection when using sendmail email transport 2021-09-17 16:46:51 +01:00
views
web Added Members bulk actions endpoint 2021-08-23 16:38:21 +02:00
analytics-events.js Added comments to all usages of lib/common/events 2021-07-07 16:02:44 +01:00
ghost-server.js
notify.js
overrides.js
run-update-check.js
update-check.js