Bump version to 2.5.3

Merge branch 'dev'
Fix: dont allow allauth redirects to any host (#5783 )
2026-02-18 09:26:25 +00:00 · 2024-02-15 17:34:22 -08:00 · 2024-02-15 17:33:54 -08:00 · 2024-02-15 16:37:34 -08:00 · 2024-02-15 17:33:26 +00:00 · 2024-02-15 07:59:33 -08:00
9 changed files with 82 additions and 10 deletions
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,5 +1,29 @@
 # Changelog

+## paperless-ngx 2.5.2
+
+### Bug Fixes
+
+- Fix: Generated secret key may include single or double quotes [@schmidtnz](https://github.com/schmidtnz) ([#5767](https://github.com/paperless-ngx/paperless-ngx/pull/5767))
+- Fix: consumer status alerts container blocks elements [@shamoon](https://github.com/shamoon) ([#5762](https://github.com/paperless-ngx/paperless-ngx/pull/5762))
+- Fix: handle document notes user format api change [@shamoon](https://github.com/shamoon) ([#5751](https://github.com/paperless-ngx/paperless-ngx/pull/5751))
+- Fix: Assign ASN from barcode only after any splitting [@stumpylog](https://github.com/stumpylog) ([#5745](https://github.com/paperless-ngx/paperless-ngx/pull/5745))
+
+### Dependencies
+
+- Chore(deps): Bump the major-versions group with 1 update [@dependabot](https://github.com/dependabot) ([#5741](https://github.com/paperless-ngx/paperless-ngx/pull/5741))
+
+### All App Changes
+
+<details>
+<summary>4 changes</summary>
+
+- Fix: consumer status alerts container blocks elements [@shamoon](https://github.com/shamoon) ([#5762](https://github.com/paperless-ngx/paperless-ngx/pull/5762))
+- Fix: handle document notes user format api change [@shamoon](https://github.com/shamoon) ([#5751](https://github.com/paperless-ngx/paperless-ngx/pull/5751))
+- Fix: Assign ASN from barcode only after any splitting [@stumpylog](https://github.com/stumpylog) ([#5745](https://github.com/paperless-ngx/paperless-ngx/pull/5745))
+- Chore(deps): Bump the major-versions group with 1 update [@dependabot](https://github.com/dependabot) ([#5741](https://github.com/paperless-ngx/paperless-ngx/pull/5741))
+</details>
+
 ## paperless-ngx 2.5.1

 ### Bug Fixes
--- a/src-ui/src/environments/environment.prod.ts
+++ b/src-ui/src/environments/environment.prod.ts
@@ -5,7 +5,7 @@ export const environment = {
  apiBaseUrl: document.baseURI + 'api/',
  apiVersion: '5',
  appTitle: 'Paperless-ngx',
-  version: '2.5.2',
+  version: '2.5.3',
  webSocketHost: window.location.host,
  webSocketProtocol: window.location.protocol == 'https:' ? 'wss:' : 'ws:',
  webSocketBaseUrl: base_url.pathname + 'ws/',
--- a/src/documents/barcodes.py
+++ b/src/documents/barcodes.py
@@ -100,11 +100,9 @@ class BarcodePlugin(ConsumeTaskPlugin):
            logger.info(f"Found tags in barcode: {tags}")

        # Lastly attempt to split documents
-        if settings.CONSUMER_ENABLE_BARCODES:
-
-            separator_pages = self.get_separation_pages()
-            if not separator_pages:
-                return "No pages to split on!"
+        if settings.CONSUMER_ENABLE_BARCODES and (
+            separator_pages := self.get_separation_pages()
+        ):

            # We have pages to split against

--- a/src/documents/tests/test_barcodes.py
+++ b/src/documents/tests/test_barcodes.py
@@ -15,6 +15,7 @@ from documents.data_models import ConsumableDocument
 from documents.data_models import DocumentMetadataOverrides
 from documents.data_models import DocumentSource
 from documents.models import Tag
+from documents.plugins.base import StopConsumeTaskError
 from documents.tests.utils import DirectoriesMixin
 from documents.tests.utils import DocumentConsumeDelayMixin
 from documents.tests.utils import DummyProgressManager
@@ -415,7 +416,10 @@ class TestBarcode(
        test_file = self.SAMPLE_DIR / "simple.pdf"

        with self.get_reader(test_file) as reader:
-            self.assertEqual("No pages to split on!", reader.run())
+            try:
+                reader.run()
+            except StopConsumeTaskError:
+                self.fail("Barcode reader split pages unexpectedly")

    @override_settings(
        CONSUMER_ENABLE_BARCODES=True,
--- a/src/paperless/adapter.py
+++ b/src/paperless/adapter.py
@@ -1,4 +1,5 @@
 from allauth.account.adapter import DefaultAccountAdapter
+from allauth.core import context
 from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
 from django.conf import settings
 from django.urls import reverse
@@ -10,6 +11,21 @@ class CustomAccountAdapter(DefaultAccountAdapter):
        # Override with setting, otherwise default to super.
        return getattr(settings, "ACCOUNT_ALLOW_SIGNUPS", allow_signups)

+    def is_safe_url(self, url):
+        # see https://github.com/paperless-ngx/paperless-ngx/issues/5780
+        from django.utils.http import url_has_allowed_host_and_scheme
+
+        # get_host already validates the given host, so no need to check it again
+        allowed_hosts = {context.request.get_host()} | set(settings.ALLOWED_HOSTS)
+
+        if "*" in allowed_hosts:
+            # dont allow wildcard to allow urls from any host
+            allowed_hosts.remove("*")
+            allowed_hosts.add(context.request.get_host())
+            return url_has_allowed_host_and_scheme(url, allowed_hosts=allowed_hosts)
+
+        return url_has_allowed_host_and_scheme(url, allowed_hosts=allowed_hosts)
+

 class CustomSocialAccountAdapter(DefaultSocialAccountAdapter):
    def is_open_for_signup(self, request, sociallogin):
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -586,8 +586,8 @@ def _parse_db_settings() -> dict:
            options = {
                "read_default_file": "/etc/mysql/my.cnf",
                "charset": "utf8mb4",
+                "ssl_mode": os.getenv("PAPERLESS_DBSSLMODE", "PREFERRED"),
                "ssl": {
-                    "ssl_mode": os.getenv("PAPERLESS_DBSSLMODE", "PREFERRED"),
                    "ca": os.getenv("PAPERLESS_DBSSLROOTCERT", None),
                    "cert": os.getenv("PAPERLESS_DBSSLCERT", None),
                    "key": os.getenv("PAPERLESS_DBSSLKEY", None),
--- a/src/paperless/tests/test_adapter.py
+++ b/src/paperless/tests/test_adapter.py
@@ -1,7 +1,12 @@
+from unittest import mock
+
 from allauth.account.adapter import get_adapter
+from allauth.core import context
 from allauth.socialaccount.adapter import get_adapter as get_social_adapter
 from django.conf import settings
+from django.http import HttpRequest
 from django.test import TestCase
+from django.test import override_settings
 from django.urls import reverse


@@ -17,6 +22,31 @@ class TestCustomAccountAdapter(TestCase):
        settings.ACCOUNT_ALLOW_SIGNUPS = False
        self.assertFalse(adapter.is_open_for_signup(None))

+    def test_is_safe_url(self):
+        request = HttpRequest()
+        request.get_host = mock.Mock(return_value="example.com")
+        with context.request_context(request):
+            adapter = get_adapter()
+            with override_settings(ALLOWED_HOSTS=["*"]):
+
+                # True because request host is same
+                url = "https://example.com"
+                self.assertTrue(adapter.is_safe_url(url))
+
+            url = "https://evil.com"
+            # False despite wildcard because request host is different
+            self.assertFalse(adapter.is_safe_url(url))
+
+            settings.ALLOWED_HOSTS = ["example.com"]
+            url = "https://example.com"
+            # True because request host is same
+            self.assertTrue(adapter.is_safe_url(url))
+
+            settings.ALLOWED_HOSTS = ["*", "example.com"]
+            url = "//evil.com"
+            # False because request host is not in allowed hosts
+            self.assertFalse(adapter.is_safe_url(url))
+

 class TestCustomSocialAccountAdapter(TestCase):
    def test_is_open_for_signup(self):
--- a/src/paperless/urls.py
+++ b/src/paperless/urls.py
@@ -193,6 +193,7 @@ urlpatterns = [
        RedirectView.as_view(
            url=settings.STATIC_URL + "frontend/en-US/assets/%(path)s",
        ),
+        # TODO: with localization, this is even worse! :/
    ),
    # App logo
    re_path(
@@ -200,7 +201,6 @@ urlpatterns = [
        serve,
        kwargs={"document_root": os.path.join(settings.MEDIA_ROOT, "logo")},
    ),
-    # TODO: with localization, this is even worse! :/
    # login, logout
    path("accounts/", include("allauth.urls")),
    # Root of the Frontend
--- a/src/paperless/version.py
+++ b/src/paperless/version.py
@@ -1,6 +1,6 @@
 from typing import Final

-__version__: Final[tuple[int, int, int]] = (2, 5, 2)
+__version__: Final[tuple[int, int, int]] = (2, 5, 3)
 # Version string like X.Y.Z
 __full_version_str__: Final[str] = ".".join(map(str, __version__))
 # Version string like X.Y
Author	SHA1	Message	Date
shamoon	9f045f4494	Bump version to 2.5.3	2024-02-15 17:34:22 -08:00
shamoon	4fdb28c8d6	Merge branch 'dev'	2024-02-15 17:33:54 -08:00
shamoon	f1049cf889	Fix: dont allow allauth redirects to any host (#5783 ) --------- Co-authored-by: Trenton H <797416+stumpylog@users.noreply.github.com>	2024-02-15 16:37:34 -08:00
Trenton H	8d664fad56	Fixes the interaction when both splitting and ASN are enabled (#5779 )	2024-02-15 17:33:26 +00:00
MaciejSzczurek	f6ddcfa839	Moved ssl_mode parameter for mysql backend engine (#5771 )	2024-02-15 07:59:33 -08:00
github-actions[bot]	ce59f2ad5e	Changelog v2.5.2 - GHA (#5769 ) Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>	2024-02-14 17:40:10 -08:00
Trenton H	0de00a4ac1	Resets develop versioning	2024-02-14 17:14:33 -08:00