From a171938daf454fa988f5697ad892311c8bfbe72e Mon Sep 17 00:00:00 2001 From: Christian Klaussner Date: Tue, 18 Oct 2016 22:31:45 +0200 Subject: [PATCH 1/9] Update links to MongoDB driver docs --- packages/mongo/collection.js | 4 ++-- packages/mongo/connection_options.js | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/mongo/collection.js b/packages/mongo/collection.js index d28cf4bc05..8e7d505a99 100644 --- a/packages/mongo/collection.js +++ b/packages/mongo/collection.js @@ -704,7 +704,7 @@ Mongo.Collection.prototype._createCappedCollection = function (byteSize, maxDocu }; /** - * @summary Returns the [`Collection`](http://mongodb.github.io/node-mongodb-native/1.4/api-generated/collection.html) object corresponding to this collection from the [npm `mongodb` driver module](https://www.npmjs.com/package/mongodb) which is wrapped by `Mongo.Collection`. + * @summary Returns the [`Collection`](http://mongodb.github.io/node-mongodb-native/2.2/api/Collection.html) object corresponding to this collection from the [npm `mongodb` driver module](https://www.npmjs.com/package/mongodb) which is wrapped by `Mongo.Collection`. * @locus Server */ Mongo.Collection.prototype.rawCollection = function () { @@ -716,7 +716,7 @@ Mongo.Collection.prototype.rawCollection = function () { }; /** - * @summary Returns the [`Db`](http://mongodb.github.io/node-mongodb-native/1.4/api-generated/db.html) object corresponding to this collection's database connection from the [npm `mongodb` driver module](https://www.npmjs.com/package/mongodb) which is wrapped by `Mongo.Collection`. + * @summary Returns the [`Db`](http://mongodb.github.io/node-mongodb-native/2.2/api/Db.html) object corresponding to this collection's database connection from the [npm `mongodb` driver module](https://www.npmjs.com/package/mongodb) which is wrapped by `Mongo.Collection`. * @locus Server */ Mongo.Collection.prototype.rawDatabase = function () { diff --git a/packages/mongo/connection_options.js b/packages/mongo/connection_options.js index c061513e0f..a5e746c4ca 100644 --- a/packages/mongo/connection_options.js +++ b/packages/mongo/connection_options.js @@ -1,6 +1,6 @@ /** * @summary Allows for user specified connection options - * @example http://mongodb.github.io/node-mongodb-native/2.1/reference/connecting/connection-settings/ + * @example http://mongodb.github.io/node-mongodb-native/2.2/reference/connecting/connection-settings/ * @locus Server * @param {Object} options User specified Mongo connection options */ From eef23a30b4eda0b17467fd3b4eb7a1e9106aa43e Mon Sep 17 00:00:00 2001 From: Ramez Rafla Date: Tue, 18 Oct 2016 16:01:02 -0400 Subject: [PATCH 2/9] Adding gap: into CSP In UIWebView on iOS10 we get CSP failure to load gap://ready, this resolves it on both simulator and device --- packages/boilerplate-generator/boilerplate_web.cordova.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/boilerplate-generator/boilerplate_web.cordova.html b/packages/boilerplate-generator/boilerplate_web.cordova.html index 9c4f7fac4c..5cb90f70f9 100644 --- a/packages/boilerplate-generator/boilerplate_web.cordova.html +++ b/packages/boilerplate-generator/boilerplate_web.cordova.html @@ -4,7 +4,7 @@ - + {{! We are explicitly not using bundledJsCssUrlRewriteHook: in cordova we serve assets up directly from disk, so rewriting the URL does not make sense }} From 3c3352be129158e2fff25e8bb7faaaf262d66860 Mon Sep 17 00:00:00 2001 From: Jesse Rosenberger Date: Wed, 12 Oct 2016 10:21:32 +0300 Subject: [PATCH 3/9] Don't lower `ulimit` max open files if it's already higher than desired Previously, if the default ulimit was set to a value higher than 16384, it was lowering it. While this doesn't do much for users with default OS settings, those that have modified their ulimit settings will have their settings maintained. --- meteor | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/meteor b/meteor index 86f47df4e7..2c2a757958 100755 --- a/meteor +++ b/meteor @@ -114,10 +114,8 @@ DEV_BUNDLE="$SCRIPT_DIR/dev_bundle" METEOR="$SCRIPT_DIR/tools/index.js" -# Bump our file descriptor ulimit as high as it will go. This is a -# temporary workaround for dependancy watching holding open too many -# files: https://app.asana.com/0/364581412985/472479912325 -if [ "$(ulimit -n)" != "unlimited" ] ; then +# Try higher ulimit maxfiles settings until permitted by the kernel +if [ "$(ulimit -n)" != "unlimited" ] && ! [ "$(ulimit -n)" -gt 16384 ] ; then ulimit -n 16384 > /dev/null 2>&1 || \ ulimit -n 8192 > /dev/null 2>&1 || \ ulimit -n 4096 > /dev/null 2>&1 || \ From fb5ceb62ff3bdd52de01407f87306eb90aa0f79b Mon Sep 17 00:00:00 2001 From: Jesse Rosenberger Date: Wed, 12 Oct 2016 10:52:46 +0300 Subject: [PATCH 4/9] Increase the value of the first `ulimit` max open files change attempt Make the first attempt 32768 instead of 16384 since some users have large numbers of files or node_modules trees (meteor/meteor#6952). This hasn't been raised since Meteor started watching many more files nor since the addition of native NPM. --- meteor | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meteor b/meteor index 2c2a757958..f399fbd52d 100755 --- a/meteor +++ b/meteor @@ -115,7 +115,8 @@ METEOR="$SCRIPT_DIR/tools/index.js" # Try higher ulimit maxfiles settings until permitted by the kernel -if [ "$(ulimit -n)" != "unlimited" ] && ! [ "$(ulimit -n)" -gt 16384 ] ; then +if [ "$(ulimit -n)" != "unlimited" ] && ! [ "$(ulimit -n)" -gt 32768 ] ; then + ulimit -n 32768 > /dev/null 2>&1 || \ ulimit -n 16384 > /dev/null 2>&1 || \ ulimit -n 8192 > /dev/null 2>&1 || \ ulimit -n 4096 > /dev/null 2>&1 || \ From 36f0eb667d91a8751ffef40a0df9454087cb89da Mon Sep 17 00:00:00 2001 From: Jesse Rosenberger Date: Wed, 19 Oct 2016 20:38:23 +0300 Subject: [PATCH 5/9] Raise ulimit for nofile to the system maximum This should permit watching as many files as the system permits. Previously, if the default ulimit was set to a value higher than 16384, it was lowered and if the user had configured their system to have a higher ulimit, Meteor wouldn't have take advantage of it. --- meteor | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/meteor b/meteor index f399fbd52d..b373c41c52 100755 --- a/meteor +++ b/meteor @@ -113,16 +113,24 @@ fi DEV_BUNDLE="$SCRIPT_DIR/dev_bundle" METEOR="$SCRIPT_DIR/tools/index.js" +# Set the nofile ulimit as high as permitted by the hard-limit/kernel +if [ "$(ulimit -Sn)" != "unlimited" ]; then + if [ "$(uname -s)" = "Darwin" ]; then + maxfilesuse="$(sysctl -n kern.maxfilesperproc)" + else + maxfilesuse="$(ulimit -Hn)" + fi -# Try higher ulimit maxfiles settings until permitted by the kernel -if [ "$(ulimit -n)" != "unlimited" ] && ! [ "$(ulimit -n)" -gt 32768 ] ; then - ulimit -n 32768 > /dev/null 2>&1 || \ - ulimit -n 16384 > /dev/null 2>&1 || \ - ulimit -n 8192 > /dev/null 2>&1 || \ - ulimit -n 4096 > /dev/null 2>&1 || \ - ulimit -n 2048 > /dev/null 2>&1 || \ - ulimit -n 1024 > /dev/null 2>&1 || \ - ulimit -n 512 > /dev/null 2>&1 + if [ -n "${maxfilesuse}" ] && [ "${maxfilesuse}" != "unlimited" ]; then + if ! ulimit -Sn ${maxfilesuse} > /dev/null 2>&1; then + echo "Warning: Meteor was unable to raise the limit for number of open files" + echo "for the current user. Please consider filing an issue at:" + echo "" + echo " https://github.com/meteor/meteor/issues" + echo "" + echo "Please include the output of 'uname -a', 'ulimit -H' and 'ulimit -S'" + fi + fi fi # We used to set $NODE_PATH here to include the node_modules from the dev From 90f65cdac77f3b421e731f5110ec913917da7bfe Mon Sep 17 00:00:00 2001 From: Jesse Rosenberger Date: Wed, 19 Oct 2016 20:58:32 +0300 Subject: [PATCH 6/9] Remove message about filing an issue if nofile ulimit can't be raised While this seems like a good idea to find any edge-cases I wasn't thinking of, I'm afraid this would be be displayed frequently for users that set their `ulimit -n` higher in their shell profile since `ulimit -n` can only be lowered once explicitly set in a particular session. --- meteor | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/meteor b/meteor index b373c41c52..f9419c26db 100755 --- a/meteor +++ b/meteor @@ -122,14 +122,7 @@ if [ "$(ulimit -Sn)" != "unlimited" ]; then fi if [ -n "${maxfilesuse}" ] && [ "${maxfilesuse}" != "unlimited" ]; then - if ! ulimit -Sn ${maxfilesuse} > /dev/null 2>&1; then - echo "Warning: Meteor was unable to raise the limit for number of open files" - echo "for the current user. Please consider filing an issue at:" - echo "" - echo " https://github.com/meteor/meteor/issues" - echo "" - echo "Please include the output of 'uname -a', 'ulimit -H' and 'ulimit -S'" - fi + ulimit -Sn ${maxfilesuse} > /dev/null 2>&1 fi fi From 3e1a449f5eba7adf17b1073a89e3890d65391397 Mon Sep 17 00:00:00 2001 From: dhrubins Date: Tue, 11 Oct 2016 12:35:27 -0700 Subject: [PATCH 7/9] Fix CSP2 script digests in browser policy (#7911). --- .../browser-policy-content.js | 27 ++++++++++++------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/packages/browser-policy-content/browser-policy-content.js b/packages/browser-policy-content/browser-policy-content.js index 78738313e4..49fb21ff3a 100644 --- a/packages/browser-policy-content/browser-policy-content.js +++ b/packages/browser-policy-content/browser-policy-content.js @@ -102,19 +102,26 @@ var addSourceForDirective = function (directive, src) { if (_.contains(_.values(keywords), src)) { cspSrcs[directive].push(src); } else { - src = src.toLowerCase(); - - // Trim trailing slashes. - src = src.replace(/\/+$/, ''); - var toAdd = []; - // If there is no protocol, add both http:// and https://. - if (! /^([a-z0-9.+-]+:)/.test(src)) { - toAdd.push("http://" + src); - toAdd.push("https://" + src); + + //Only add single quotes to CSP2 script digests + if (/^(sha(256|384|512)-)/i.test(src)) { + toAdd.push("'" + src + "'"); } else { - toAdd.push(src); + src = src.toLowerCase(); + + // Trim trailing slashes. + src = src.replace(/\/+$/, ''); + + // If there is no protocol, add both http:// and https://. + if (! /^([a-z0-9.+-]+:)/.test(src)) { + toAdd.push("http://" + src); + toAdd.push("https://" + src); + } else { + toAdd.push(src); + } } + _.each(toAdd, function (s) { cspSrcs[directive].push(s); }); From c67f782743f72fdf4bfb6a38b5123884d7bcc3f6 Mon Sep 17 00:00:00 2001 From: Jesse Rosenberger Date: Tue, 18 Oct 2016 12:21:30 +0300 Subject: [PATCH 8/9] Support additional params on oAuth1 authorize URL Using a the previously-supported ability to pass a function (versus a string) for an oAuth1 URL, this commit implements (and relocates) a function which safely applies whitelisted params to that URL. This introduces a twitter_common.js file shared between server and client which indicates which Twitter-supported params are permitted on the authorize step. The two params which Twitter supports right now are `force_login` and `screen_name`. (See: https://dev.twitter.com/oauth/reference/get/oauth/authenticate) This commit removes the non-functional implementation of `force_login` introduced by meteor/meteor#6987 and implements it via the aforementioned method. As a precaution (and since neither `ecmascript` nor `es5-shim` are used by this package), I stuck with JS ES3. Closes meteor/meteor#7584 --- packages/oauth1/oauth1_server.js | 43 ++++++++++++++++++++++-------- packages/twitter/package.js | 2 ++ packages/twitter/twitter_client.js | 11 ++++---- packages/twitter/twitter_common.js | 6 +++++ packages/twitter/twitter_server.js | 12 ++++++--- 5 files changed, 54 insertions(+), 20 deletions(-) create mode 100644 packages/twitter/twitter_common.js diff --git a/packages/oauth1/oauth1_server.js b/packages/oauth1/oauth1_server.js index 2d4794c7be..8aee39fce5 100644 --- a/packages/oauth1/oauth1_server.js +++ b/packages/oauth1/oauth1_server.js @@ -1,5 +1,26 @@ var url = Npm.require("url"); +OAuth._queryParamsWithAuthTokenUrl = function (authUrl, oauthBinding, params, whitelistedQueryParams) { + params = params || {}; + var redirectUrlObj = url.parse(authUrl, true); + + _.extend( + redirectUrlObj.query, + _.pick(params.query, whitelistedQueryParams), + { + oauth_token: oauthBinding.requestToken, + } + ); + + // Clear the `search` so it is rebuilt by Node's `url` from the `query` above. + // Using previous versions of the Node `url` module, this was just set to "" + // However, Node 6 docs seem to indicate that this should be `undefined`. + delete redirectUrlObj.search; + + // Reconstruct the URL back with provided query parameters merged with oauth_token + return url.format(redirectUrlObj); +}; + // connect middleware OAuth._requestHandlers['1'] = function (service, query, res) { var config = ServiceConfiguration.configurations.findOne({service: service.serviceName}); @@ -30,19 +51,19 @@ OAuth._requestHandlers['1'] = function (service, query, res) { oauthBinding.requestTokenSecret); // support for scope/name parameters - var redirectUrl = undefined; + var redirectUrl; + var authParams = { + query: query + }; + if(typeof urls.authenticate === "function") { - redirectUrl = urls.authenticate(oauthBinding, { - query: query - }); + redirectUrl = urls.authenticate(oauthBinding, authParams); } else { - // Parse the URL to support additional query parameters in urls.authenticate - var redirectUrlObj = url.parse(urls.authenticate, true); - redirectUrlObj.query = redirectUrlObj.query || {}; - redirectUrlObj.query.oauth_token = oauthBinding.requestToken; - redirectUrlObj.search = ''; - // Reconstruct the URL back with provided query parameters merged with oauth_token - redirectUrl = url.format(redirectUrlObj); + redirectUrl = OAuth._queryParamsWithAuthTokenUrl( + urls.authenticate, + oauthBinding, + authParams + ); } // redirect to provider login, which will redirect back to "step 2" below diff --git a/packages/twitter/package.js b/packages/twitter/package.js index c44b5fdd74..e790c4e12f 100644 --- a/packages/twitter/package.js +++ b/packages/twitter/package.js @@ -18,6 +18,8 @@ Package.onUse(function(api) { ['twitter_configure.html', 'twitter_configure.js'], 'client'); + api.addFiles('twitter_common.js', ['server', 'client']); + api.addFiles('twitter_server.js', 'server'); api.addFiles('twitter_client.js', 'client'); }); diff --git a/packages/twitter/twitter_client.js b/packages/twitter/twitter_client.js index be8e64bd9c..f15c9afca1 100644 --- a/packages/twitter/twitter_client.js +++ b/packages/twitter/twitter_client.js @@ -1,5 +1,3 @@ -Twitter = {}; - // Request Twitter credentials for the user // @param options {optional} XXX support options.requestPermissions // @param credentialRequestCompleteCallback {Function} Callback function to call on @@ -38,9 +36,12 @@ Twitter.requestCredential = function (options, credentialRequestCompleteCallback } } - // Handle force login (request the user to enter their credentials) - if (options && options.force_login) { - loginPath += "&force_login=true"; + // Support additional, permitted parameters + var addlParams = Twitter.validParamsAuthenticate; + for (var i = 0, len = addlParams.length; i < len; i++) { + if (options && options[addlParams[i]]) { + loginPath += "&" + addlParams[i] + "=" + encodeURIComponent(options[addlParams[i]]); + } } var loginUrl = Meteor.absoluteUrl(loginPath); diff --git a/packages/twitter/twitter_common.js b/packages/twitter/twitter_common.js new file mode 100644 index 0000000000..6d6d79e177 --- /dev/null +++ b/packages/twitter/twitter_common.js @@ -0,0 +1,6 @@ +Twitter = {}; + +Twitter.validParamsAuthenticate = [ + 'force_login', + 'screen_name' +]; diff --git a/packages/twitter/twitter_server.js b/packages/twitter/twitter_server.js index efbb6e88a3..d597f0db1e 100644 --- a/packages/twitter/twitter_server.js +++ b/packages/twitter/twitter_server.js @@ -1,13 +1,17 @@ -Twitter = {}; - var urls = { requestToken: "https://api.twitter.com/oauth/request_token", authorize: "https://api.twitter.com/oauth/authorize", accessToken: "https://api.twitter.com/oauth/access_token", - authenticate: "https://api.twitter.com/oauth/authenticate" + authenticate: function (oauthBinding, params) { + return OAuth._queryParamsWithAuthTokenUrl( + "https://api.twitter.com/oauth/authenticate", + oauthBinding, + params, + Twitter.validParamsAuthenticate + ); + } }; - // https://dev.twitter.com/docs/api/1.1/get/account/verify_credentials Twitter.whitelistedFields = ['profile_image_url', 'profile_image_url_https', 'lang', 'email']; From fec8303c214e3dc2ea4940d6158a37a5433050fd Mon Sep 17 00:00:00 2001 From: Ben Newman Date: Wed, 19 Oct 2016 15:01:38 -0400 Subject: [PATCH 9/9] Use Array#forEach in twitter_client.js. --- packages/twitter/twitter_client.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/packages/twitter/twitter_client.js b/packages/twitter/twitter_client.js index f15c9afca1..b42e775364 100644 --- a/packages/twitter/twitter_client.js +++ b/packages/twitter/twitter_client.js @@ -37,11 +37,13 @@ Twitter.requestCredential = function (options, credentialRequestCompleteCallback } // Support additional, permitted parameters - var addlParams = Twitter.validParamsAuthenticate; - for (var i = 0, len = addlParams.length; i < len; i++) { - if (options && options[addlParams[i]]) { - loginPath += "&" + addlParams[i] + "=" + encodeURIComponent(options[addlParams[i]]); - } + if (options) { + var hasOwn = Object.prototype.hasOwnProperty; + Twitter.validParamsAuthenticate.forEach(function (param) { + if (hasOwn.call(options, param)) { + loginPath += "&" + param + "=" + encodeURIComponent(options[param]); + } + }); } var loginUrl = Meteor.absoluteUrl(loginPath);