Merge branch 'release-0.8.1.3'

History.md

@@ -1,6 +1,27 @@
 ## v.NEXT
 
 
+## v.0.8.1.3
+
+* Fix a security issue in the `spiderable` package. `spiderable` now
+  uses the ROOT_URL environment variable instead of the Host header to
+  determine which page to snapshot.
+
+* Fix hardcoded Twitter URL in `oauth1` package. This fixes a regression
+  in 0.8.0.1 that broke Atmosphere packages that do OAuth1
+  logins. #2154.
+
+* Add `credentialSecret` argument to `Google.retrieveCredential`, which
+  was forgotten in a previous release.
+
+* Remove nonexistent `-a` and `-r` aliases for `--add` and `--remove` in
+  `meteor help authorized`. #2155
+
+* Add missing `underscore` dependency in the `oauth-encryption` package. #2165
+
+* Fix minification bug that caused some apps to fail to render in IE8. #2037.
+
+
 ## v.0.8.1.2
 
 * Fix memory leak (introduced in 0.8.1) by making sure to unregister

docs/.meteor/release

@@ -1 +1 @@
-0.8.1.2
+0.8.1.3

docs/lib/release-override.js

@@ -1,5 +1,5 @@
 // While galaxy apps are on their own special meteor releases, override
 // Meteor.release here.
 if (Meteor.isClient) {
-  Meteor.release = Meteor.release ? "0.8.1.2" : undefined;
+  Meteor.release = Meteor.release ? "0.8.1.3" : undefined;
 }

examples/clock/.meteor/release

@@ -1 +1 @@
-0.8.1.2
+0.8.1.3

examples/leaderboard/.meteor/release

@@ -1 +1 @@
-0.8.1.2
+0.8.1.3

examples/parties/.meteor/release

@@ -1 +1 @@
-0.8.1.2
+0.8.1.3

examples/todos/.meteor/release

@@ -1 +1 @@
-0.8.1.2
+0.8.1.3

examples/wordplay/.meteor/release

@@ -1 +1 @@
-0.8.1.2
+0.8.1.3

packages/google/google_server.js

@@ -78,6 +78,6 @@ var getIdentity = function (accessToken) {
 };
 
 
-Google.retrieveCredential = function(credentialToken) {
-  return OAuth.retrieveCredential(credentialToken);
+Google.retrieveCredential = function(credentialToken, credentialSecret) {
+  return OAuth.retrieveCredential(credentialToken, credentialSecret);
 };

packages/htmljs/html.js

@@ -31,7 +31,7 @@ HTML.ensureTag = function (tagName) {
 // Given "p" create the function `HTML.P`.
 var makeTagConstructor = function (tagName) {
   // HTMLTag is the per-tagName constructor of a HTML.Tag subclass
-  var HTMLTag = function HTMLTag(/*arguments*/) {
+  var HTMLTag = function (/*arguments*/) {
     // Work with or without `new`.  If not called with `new`,
     // perform instantiation by recursively calling this constructor.
     // We can't pass varargs, so pass no args.

packages/oauth-encryption/package.js

@@ -7,6 +7,7 @@ Package.describe({
 
 Package.on_use(function (api) {
   api.export("OAuthEncryption", ["server"]);
+  api.use("underscore");
   api.add_files("encrypt.js", ["server"]);
 });
 

packages/oauth1/oauth1_server.js

@@ -11,7 +11,8 @@ OAuth._requestHandlers['1'] = function (service, query, res) {
 
   if (query.requestTokenAndRedirect) {
     // step 1 - get and store a request token
-    var callbackUrl = Meteor.absoluteUrl("_oauth/twitter?close&state=" +
+    var callbackUrl = Meteor.absoluteUrl("_oauth/" + service.serviceName +
+                                         "?close&state=" +
                                          query.state);
 
     // Get a request token to start auth process

packages/spiderable/package.js

@@ -12,3 +12,8 @@ Package.on_use(function (api) {
   api.add_files('spiderable.html', 'client');
   api.add_files('spiderable.js', 'server');
 });
+
+Package.on_test(function (api) {
+  api.use(['spiderable', 'tinytest']);
+  api.add_files('spiderable_tests.js', 'server');
+});

packages/spiderable/spiderable.js

@@ -23,6 +23,30 @@ var REQUEST_TIMEOUT = 15*1000;
 // small for our docs.
 var MAX_BUFFER = 5*1024*1024; // 5MB
 
+// Exported for tests.
+Spiderable._urlForPhantom = function (siteAbsoluteUrl, requestUrl) {
+  // reassembling url without escaped fragment if exists
+  var parsedUrl = urlParser.parse(requestUrl);
+  var parsedQuery = querystring.parse(parsedUrl.query);
+  delete parsedQuery['_escaped_fragment_'];
+
+  var parsedAbsoluteUrl = urlParser.parse(siteAbsoluteUrl);
+  // If the ROOT_URL contains a path, Meteor strips that path off of the
+  // request's URL before we see it. So we concatenate the pathname from
+  // the request's URL with the root URL's pathname to get the full
+  // pathname.
+  if (parsedUrl.pathname.charAt(0) === "/") {
+    parsedUrl.pathname = parsedUrl.pathname.substring(1);
+  }
+  parsedAbsoluteUrl.pathname = urlParser.resolve(parsedAbsoluteUrl.pathname,
+                                                 parsedUrl.pathname);
+  parsedAbsoluteUrl.query = parsedQuery;
+  // `url.format` will only use `query` if `search` is absent
+  parsedAbsoluteUrl.search = null;
+
+  return urlParser.format(parsedAbsoluteUrl);
+};
+
 WebApp.connectHandlers.use(function (req, res, next) {
   // _escaped_fragment_ comes from Google's AJAX crawling spec:
   // https://developers.google.com/webmasters/ajax-crawling/docs/specification
@@ -35,13 +59,7 @@ WebApp.connectHandlers.use(function (req, res, next) {
       _.any(Spiderable.userAgentRegExps, function (re) {
         return re.test(req.headers['user-agent']); })) {
 
-    // reassembling url without escaped fragment if exists
-    var parsedUrl = urlParser.parse(req.url);
-    var parsedQuery = querystring.parse(parsedUrl.query);
-    delete parsedQuery['_escaped_fragment_'];
-    var newQuery = querystring.stringify(parsedQuery);
-    var newPath = parsedUrl.pathname + (newQuery ? ('?' + newQuery) : '');
-    var url = "http://" + req.headers.host + newPath;
+    var url = Spiderable._urlForPhantom(Meteor.absoluteUrl(), req.url);
 
     // This string is going to be put into a bash script, so it's important
     // that 'url' (which comes from the network) can neither exploit phantomjs

packages/spiderable/spiderable_tests.js

@@ -0,0 +1,47 @@
+var url = Npm.require("url");
+
+Tinytest.add("spiderable - phantom url generation", function (test, expect) {
+  var absUrl = "http://example.com";
+  _.each([
+    {
+      requestUrl: "/?_escaped_fragment_=1",
+      expected: "/"
+    },
+    // Test that query strings are preserved
+    {
+      requestUrl: "/?_escaped_fragment_=1&foo=bar",
+      expected: "/?foo=bar"
+    },
+    {
+      requestUrl: "/?foo=bar&_escaped_fragment_=1",
+      expected: "/?foo=bar"
+    },
+    // Test that paths are preserved
+    {
+      requestUrl: "/foo/bar?_escaped_fragment_=1",
+      expected: "/foo/bar"
+    },
+    {
+      requestUrl: "/foo/bar?_escaped_fragment_=1&foo=bar",
+      expected: "/foo/bar?foo=bar"
+    },
+    // Test with a path on the site's absolute url
+    {
+      requestUrl: "/foo/bar?_escaped_fragment_=1",
+      expected: "/foo/bar",
+      absUrl: "http://example.com/foo"
+    },
+    {
+      requestUrl: "/bar?_escaped_fragment_=1",
+      expected: "/bar",
+      absUrl: "http://example.com/foo"
+    }
+  ], function (testCase) {
+    testCase.absUrl = testCase.absUrl || absUrl;
+
+    test.equal(
+      Spiderable._urlForPhantom(absUrl, testCase.requestUrl),
+      absUrl + testCase.expected
+    );
+  });
+});

scripts/admin/banner.txt

@@ -1,5 +1,5 @@
-=> Meteor 0.8.1.2: Fix regressions from 0.8.1, including a memory
-   leak in DDP heartbeats.
+=> Meteor 0.8.1.3: Fixes a security flaw in the `spiderable` package and
+   minor regressions from 0.8.1.
 
    This release is being downloaded in the background. Update your
-   project to Meteor 0.8.1.2 by running 'meteor update'.
+   project to Meteor 0.8.1.3 by running 'meteor update'.

scripts/admin/notices.json

@@ -135,6 +135,9 @@
   {
     "release": "0.8.1.2"
   },
+  {
+    "release": "0.8.1.3"
+  },
   {
     "release": "NEXT"
   }

tools/help.txt

@@ -203,8 +203,8 @@ yourself. (Ask someone else who is an authorized user to do it.)
 You can only add or remove one authorized user at a time.
 
 Options:
-  --add, -a     add an authorized user
-  --remove, -r  remove an authorized user
+  --add         add an authorized user
+  --remove      remove an authorized user
   --list        list authorized users (the default)