From 039141a79ae273255497cfe780e1a6f61f4a5c4c Mon Sep 17 00:00:00 2001
From: Yannick Reekmans <reekmans.yannick@gmail.com>
Date: Tue, 14 Dec 2021 09:22:49 +0000
Subject: [PATCH] Add v3.42.8

---
 README.md                                       |  3 +--
 azuredeploy.json                                | 17 ++++++++---------
 core/frontend/helpers/url.js                    |  7 ++++++-
 core/server/services/oembed.js                  |  6 ++++++
 .../web/site/middleware/handle-image-sizes.js   |  9 ++++++++-
 package.json                                    |  2 +-
 web.config                                      |  9 +++++++--
 7 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 8bcad7e4b1..7fde97ef94 100644
--- a/README.md
+++ b/README.md
@@ -9,8 +9,7 @@ I documented my installation process, with additional steps to add Sendgrid, SSL
 In any case I suggest forking my repository into your own, this to avoid changes I make to my repository to negatively impact your installation.
 
 ### One-click deploy
-[![Deploy to Azure](https://azuredeploy.net/deploybutton.png)](https://azuredeploy.net/)
-[![Visualize](http://armviz.io/visualizebutton.png)](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FYannickRe%2FGhost-Azure%2Fazure%2Fazuredeploy.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FYannickRe%2FGhost-Azure%2Fmaster%2Fazuredeploy.json)
 
 ### Azure App Service Deployment Center
 More info on [Microsoft Docs](https://docs.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment#deploy-continuously-from-github)
\ No newline at end of file
diff --git a/azuredeploy.json b/azuredeploy.json
index 8179c66b97..12049c6683 100644
--- a/azuredeploy.json
+++ b/azuredeploy.json
@@ -8,9 +8,6 @@
     "hostingPlanName": {
       "type": "string"
     },
-    "siteLocation": {
-      "type": "string"
-    },
     "sku": {
       "type": "string",
       "allowedValues": [
@@ -56,10 +53,12 @@
       "defaultValue": ""
     },
     "repoUrl": {
-      "type": "string"
+      "type": "string",
+      "defaultValue": "https://github.com/<<PutYourGitHubUserHere>>/Ghost-Azure"
     },
     "branch": {
-      "type": "string"
+      "type": "string",
+      "defaultValue": "master"
     }
   },
   "variables": {
@@ -71,7 +70,7 @@
     {
       "name": "[parameters('hostingPlanName')]",
       "type": "Microsoft.Web/serverfarms",
-      "location": "[parameters('siteLocation')]",
+      "location": "[resourceGroup().location]",
       "apiVersion": "2018-02-01",
       "sku": {
         "name": "[variables('sku')]"
@@ -85,7 +84,7 @@
     {
       "name": "[parameters('siteName')]",
       "type": "Microsoft.Web/sites",
-      "location": "[parameters('siteLocation')]",
+      "location": "[resourceGroup().location]",
       "apiVersion": "2018-11-01",
       "dependsOn": [
         "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
@@ -152,7 +151,7 @@
     {
       "name": "[variables('appInsightsName')]",
       "type": "Microsoft.Insights/components",
-      "location": "[parameters('siteLocation')]",
+      "location": "[resourceGroup().location]",
       "apiVersion": "2014-04-01",
       "condition": "[parameters('Deploy App Insights')]",
       "dependsOn": [
@@ -167,4 +166,4 @@
       }
     }
   ]
-}
+}
\ No newline at end of file
diff --git a/core/frontend/helpers/url.js b/core/frontend/helpers/url.js
index 36fa631e8f..c531da180f 100644
--- a/core/frontend/helpers/url.js
+++ b/core/frontend/helpers/url.js
@@ -11,7 +11,12 @@ module.exports = function url(options) {
     const absolute = options && options.hash.absolute && options.hash.absolute !== 'false';
     let outputUrl = getMetaDataUrl(this, absolute);
 
-    outputUrl = encodeURI(decodeURI(outputUrl));
+    try {
+        outputUrl = encodeURI(decodeURI(outputUrl));
+    } catch (err) {
+        // Happens when the outputURL contains an invalid URI character like "%%" or "%80"
+        return new SafeString('');
+    }
 
     return new SafeString(outputUrl);
 };
diff --git a/core/server/services/oembed.js b/core/server/services/oembed.js
index 82be2b202a..167a4a3462 100644
--- a/core/server/services/oembed.js
+++ b/core/server/services/oembed.js
@@ -85,6 +85,8 @@ class OEmbed {
     }
 
     async fetchBookmarkData(url) {
+        // Metascraper doesn't handle leading/trailing whitespace
+        url = url.trim();
         const metascraper = require('metascraper')([
             require('metascraper-url')(),
             require('metascraper-title')(),
@@ -154,6 +156,10 @@ class OEmbed {
     }
 
     fetchOembedData(_url, cardType) {
+        // Trimming solves the difference of url validation between `new URL(url)`
+        // and metascraper.
+        _url = _url.trim();
+
         // parse the url then validate the protocol and host to make sure it's
         // http(s) and not an IP address or localhost to avoid potential access to
         // internal network endpoints
diff --git a/core/server/web/site/middleware/handle-image-sizes.js b/core/server/web/site/middleware/handle-image-sizes.js
index 0e035999ad..181f7d1d36 100644
--- a/core/server/web/site/middleware/handle-image-sizes.js
+++ b/core/server/web/site/middleware/handle-image-sizes.js
@@ -1,5 +1,6 @@
 const _ = require('lodash');
 const path = require('path');
+const {GhostError} = require('@tryghost/errors');
 const imageTransform = require('@tryghost/image-transform');
 const storage = require('../../../adapters/storage');
 const activeTheme = require('../../../../frontend/services/themes/active');
@@ -100,6 +101,12 @@ module.exports = function (req, res, next) {
                 return storageInstance.read({path: storagePath});
             })
             .then((originalImageBuffer) => {
+                if (originalImageBuffer.length <= 0) {
+                    throw new GhostError({
+                        errorType: 'NoContentError',
+                        statusCode: 204
+                    });
+                }
                 return imageTransform.resizeFromBuffer(originalImageBuffer, imageDimensionConfig);
             })
             .then((resizedImageBuffer) => {
@@ -108,7 +115,7 @@ module.exports = function (req, res, next) {
     }).then(() => {
         next();
     }).catch(function (err) {
-        if (err.code === 'SHARP_INSTALLATION') {
+        if (err.code === 'SHARP_INSTALLATION' || err.code === 'IMAGE_PROCESSING' || err.errorType === 'NoContentError') {
             return redirectToOriginal();
         }
         next(err);
diff --git a/package.json b/package.json
index 2a984e7bde..281634c87c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "3.42.7",
+  "version": "3.42.8",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
diff --git a/web.config b/web.config
index 51bcbd1ec8..72284fcbfc 100644
--- a/web.config
+++ b/web.config
@@ -42,11 +42,16 @@
 		</rewrite>
 		<httpProtocol>
 			<customHeaders>
-				<remove name="X-Powered-By" />
+			    <add name="X-Frame-Options" value="SAMEORIGIN"/>
+			    <add name="X-Content-Type-Options" value="nosniff"/>
+			    <add name="Content-Security-Policy" value="upgrade-insecure-requests; base-uri 'self'; frame-ancestors 'self'; form-action 'self'; object-src 'none';"/>
+			    <add name="Permissions-Policy" value="accelerometer=(self), camera=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), payment=(self), usb=(self)" />
+			    <add name="Referrer-Policy" value="strict-origin-when-cross-origin"/>
+			    <remove name="X-Powered-By" />
 			</customHeaders>
 		</httpProtocol>
 		<security>
 			<requestFiltering removeServerHeader="true" />
 		</security>
 	</system.webServer>
-</configuration>
\ No newline at end of file
+</configuration>