From 9bab74d30ef17aad03a6c7d3d89eedc4b1b4999c Mon Sep 17 00:00:00 2001
From: Nikolaj Geisle <70372949+Zeegaan@users.noreply.github.com>
Date: Mon, 7 Oct 2024 11:55:34 +0200
Subject: [PATCH 1/9] Bump version.json

---
 version.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.json b/version.json
index f49d971518..6bec70b51b 100644
--- a/version.json
+++ b/version.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
-  "version": "10.8.6",
+  "version": "10.8.7",
   "assemblyVersion": {
     "precision": "build"
   },

From 2d71b5a63b45982553f7f7eb282821a6861ff41b Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Wed, 16 Oct 2024 12:16:38 +0200
Subject: [PATCH 2/9] Updated image sharp to a non vulnerable version (#17290)

---
 src/Directory.Packages.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props
index 4d6bf155d3..0ea425c69a 100644
--- a/src/Directory.Packages.props
+++ b/src/Directory.Packages.props
@@ -48,7 +48,7 @@
     <PackageVersion Include="Serilog.Sinks.Async" Version="1.5.0" />
     <PackageVersion Include="Serilog.Sinks.File" Version="5.0.0" />
     <PackageVersion Include="Serilog.Sinks.Map" Version="1.0.2" />
-    <PackageVersion Include="SixLabors.ImageSharp" Version="2.1.7" />
+    <PackageVersion Include="SixLabors.ImageSharp" Version="2.1.9" />
     <PackageVersion Include="SixLabors.ImageSharp.Web" Version="2.0.2" />
     <PackageVersion Include="Smidge.InMemory" Version="4.3.0" />
     <PackageVersion Include="Smidge.Nuglify" Version="4.2.1" />
@@ -64,4 +64,4 @@
     <PackageVersion Include="System.Security.Cryptography.Xml" Version="6.0.1" />
     <PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
   </ItemGroup>
-</Project>
\ No newline at end of file
+</Project>

From 11270eaaf5f9bf2cca9bd5298c6211ce730fb0fd Mon Sep 17 00:00:00 2001
From: Andreas Zerbst <73799582+andr317c@users.noreply.github.com>
Date: Mon, 21 Oct 2024 11:00:47 +0200
Subject: [PATCH 3/9] Updated message pack (#17320)

---
 src/Directory.Packages.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props
index 4d6bf155d3..643c331edb 100644
--- a/src/Directory.Packages.props
+++ b/src/Directory.Packages.props
@@ -13,7 +13,7 @@
     <PackageVersion Include="K4os.Compression.LZ4" Version="1.3.6" />
     <PackageVersion Include="MailKit" Version="3.2.0" />
     <PackageVersion Include="Markdown" Version="2.2.1" />
-    <PackageVersion Include="MessagePack" Version="2.5.129" />
+    <PackageVersion Include="MessagePack" Version="2.5.187" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="6.0.24" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="6.0.24" />
     <PackageVersion Include="Microsoft.Data.Sqlite" Version="6.0.24" />

From edd0a4a4a926e6ff16d4978eb45dbca83bc8e0a8 Mon Sep 17 00:00:00 2001
From: Andreas Zerbst <73799582+andr317c@users.noreply.github.com>
Date: Mon, 21 Oct 2024 11:00:47 +0200
Subject: [PATCH 4/9] Updated message pack (#17320)

(cherry picked from commit 11270eaaf5f9bf2cca9bd5298c6211ce730fb0fd)
---
 src/Directory.Packages.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props
index 0ea425c69a..97fd24618c 100644
--- a/src/Directory.Packages.props
+++ b/src/Directory.Packages.props
@@ -13,7 +13,7 @@
     <PackageVersion Include="K4os.Compression.LZ4" Version="1.3.6" />
     <PackageVersion Include="MailKit" Version="3.2.0" />
     <PackageVersion Include="Markdown" Version="2.2.1" />
-    <PackageVersion Include="MessagePack" Version="2.5.129" />
+    <PackageVersion Include="MessagePack" Version="2.5.187" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="6.0.24" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="6.0.24" />
     <PackageVersion Include="Microsoft.Data.Sqlite" Version="6.0.24" />

From 67a71f8f823b2b8c2c62f89193ebb96bc883a091 Mon Sep 17 00:00:00 2001
From: Elitsa <elm@umbraco.dk>
Date: Wed, 21 Aug 2024 14:41:14 +0200
Subject: [PATCH 5/9] Make sure that the client shows the login screen as close
 to the server's timout time as possible

---
 .../src/common/services/user.service.js       | 29 +++++++++++++------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/src/Umbraco.Web.UI.Client/src/common/services/user.service.js b/src/Umbraco.Web.UI.Client/src/common/services/user.service.js
index ee9aa0864f..943141878a 100644
--- a/src/Umbraco.Web.UI.Client/src/common/services/user.service.js
+++ b/src/Umbraco.Web.UI.Client/src/common/services/user.service.js
@@ -3,6 +3,7 @@ angular.module('umbraco.services')
 
         var currentUser = null;
         var lastUserId = null;
+        var countdownCounter = null;
 
         //this tracks the last date/time that the user's remainingAuthSeconds was updated from the server
         // this is used so that we know when to go and get the user's remaining seconds directly.
@@ -43,6 +44,10 @@ angular.module('umbraco.services')
             }
             currentUser = usr;
             lastServerTimeoutSet = new Date();
+            //don't start the timer if it is already going
+            if (countdownCounter) {
+                return;
+            }
             //start the timer
             countdownUserTimeout();
         }
@@ -54,7 +59,7 @@ angular.module('umbraco.services')
         */
         function countdownUserTimeout() {
 
-            $timeout(function () {
+            countdownCounter = $timeout(function () {
 
                 if (currentUser) {
                     //countdown by 5 seconds since that is how long our timer is for.
@@ -95,15 +100,20 @@ angular.module('umbraco.services')
                         if (Umbraco.Sys.ServerVariables.umbracoSettings.keepUserLoggedIn !== true) {
                             //NOTE: the safeApply because our timeout is set to not run digests (performance reasons)
                             angularHelper.safeApply($rootScope, function () {
-                                try {
-                                    //NOTE: We are calling this again so that the server can create a log that the timeout has expired, we
-                                    // don't actually care about this result.
-                                    authResource.getRemainingTimeoutSeconds();
-                                }
-                                finally {
-                                    userAuthExpired();
-                                }
+                                //NOTE: We are calling this again so that the server can create a log that the timeout has expired
+                                //and we will show the login screen as close to the server's timout time as possible
+                                authResource.getRemainingTimeoutSeconds().then(function (result) {
+                                    setUserTimeoutInternal(result);
+
+                                    //the client auth can expire a second earlier as the client internal clock is behind
+                                    if (result < 1) {
+                                        userAuthExpired();
+                                    }
+                                });
                             });
+
+                            //recurse the countdown!
+                            countdownUserTimeout();
                         }
                         else {
                             //we've got less than 30 seconds remaining so let's check the server
@@ -155,6 +165,7 @@ angular.module('umbraco.services')
 
             lastServerTimeoutSet = null;
             currentUser = null;
+            countdownCounter = null;
 
             openLoginDialog(isLogout === undefined ? true : !isLogout);
         }

From c9021ab2d2c02f23ad5d9bcff3ccb0f5e283d914 Mon Sep 17 00:00:00 2001
From: Elitsa <elm@umbraco.dk>
Date: Wed, 21 Aug 2024 14:44:09 +0200
Subject: [PATCH 6/9] Reduce the time when getRemainingTimeoutSeconds request
 is made from 30s to 20s, so fewer calls are made

---
 .../src/common/services/user.service.js                | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/Umbraco.Web.UI.Client/src/common/services/user.service.js b/src/Umbraco.Web.UI.Client/src/common/services/user.service.js
index 943141878a..bb56b7cc20 100644
--- a/src/Umbraco.Web.UI.Client/src/common/services/user.service.js
+++ b/src/Umbraco.Web.UI.Client/src/common/services/user.service.js
@@ -65,17 +65,17 @@ angular.module('umbraco.services')
                     //countdown by 5 seconds since that is how long our timer is for.
                     currentUser.remainingAuthSeconds -= 5;
 
-                    //if there are more than 30 remaining seconds, recurse!
-                    if (currentUser.remainingAuthSeconds > 30) {
+                    //if there are more than 20 remaining seconds, recurse!
+                    if (currentUser.remainingAuthSeconds > 20) {
 
                         //we need to check when the last time the timeout was set from the server, if
-                        // it has been more than 30 seconds then we'll manually go and retrieve it from the
+                        // it has been more than 20 seconds then we'll manually go and retrieve it from the
                         // server - this helps to keep our local countdown in check with the true timeout.
                         if (lastServerTimeoutSet != null) {
                             var now = new Date();
                             var seconds = (now.getTime() - lastServerTimeoutSet.getTime()) / 1000;
 
-                            if (seconds > 30) {
+                            if (seconds > 20) {
 
                                 //first we'll set the lastServerTimeoutSet to null - this is so we don't get back in to this loop while we
                                 // wait for a response from the server otherwise we'll be making double/triple/etc... calls while we wait.
@@ -116,7 +116,7 @@ angular.module('umbraco.services')
                             countdownUserTimeout();
                         }
                         else {
-                            //we've got less than 30 seconds remaining so let's check the server
+                            //we've got less than 20 seconds remaining so let's check the server
 
                             if (lastServerTimeoutSet != null) {
                                 //first we'll set the lastServerTimeoutSet to null - this is so we don't get back in to this loop while we

From 8c1128c85b8f84fee6891e19967d87aaa8ba80ed Mon Sep 17 00:00:00 2001
From: Elitsa <elm@umbraco.dk>
Date: Tue, 20 Aug 2024 10:15:37 +0200
Subject: [PATCH 7/9] Update the HttpContext's user with the authenticated
 user's principal

---
 .../Extensions/HttpContextExtensions.cs                   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs b/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
index 226755039e..2a6bbc99d4 100644
--- a/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
+++ b/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
@@ -59,6 +59,14 @@ public static class HttpContextExtensions
                 await httpContext.AuthenticateAsync(Constants.Security.BackOfficeExternalAuthenticationType);
         }
 
+        // Update the HttpContext's user with the authenticated user's principal to ensure
+        // that subsequent requests within the same context will recognize the user
+        // as authenticated.
+        if (result.Succeeded)
+        {
+            httpContext.User = result.Principal;
+        }
+
         return result;
     }
 

From 35c51a029a16435109b3462f5db4cbdeb9189408 Mon Sep 17 00:00:00 2001
From: Sven Geusens <sge@umbraco.dk>
Date: Mon, 12 Aug 2024 14:48:32 +0100
Subject: [PATCH 8/9] Prevents XSS when viewing an uploaded SVG

from the media-info and image-preview components.
---
 .../media/umbmedianodeinfo.directive.js       | 10 +------
 .../common/services/mediahelper.service.js    | 26 +++++++++++++++++--
 .../umbimagepreview/umb-image-preview.html    |  2 +-
 .../umbimagepreview.controller.js             | 26 +++++++++----------
 4 files changed, 38 insertions(+), 26 deletions(-)

diff --git a/src/Umbraco.Web.UI.Client/src/common/directives/components/media/umbmedianodeinfo.directive.js b/src/Umbraco.Web.UI.Client/src/common/directives/components/media/umbmedianodeinfo.directive.js
index 2a65c67a8d..32abdc2a48 100644
--- a/src/Umbraco.Web.UI.Client/src/common/directives/components/media/umbmedianodeinfo.directive.js
+++ b/src/Umbraco.Web.UI.Client/src/common/directives/components/media/umbmedianodeinfo.directive.js
@@ -69,15 +69,7 @@
                 editorService.mediaTypeEditor(editor);
             };
 
-            scope.openSVG = () => {
-                var popup = window.open('', '_blank');
-                var html = '<!DOCTYPE html><body><img src="' + scope.nodeUrl + '"/>' +
-                    '<script>history.pushState(null, null,"' + $location.$$absUrl + '");</script></body>';
-                
-                popup.document.open();
-                popup.document.write(html);
-                popup.document.close();
-            }
+          scope.openSVG = () => mediaHelper.openSVG(scope.nodeUrl);
 
             // watch for content updates - reload content when node is saved, published etc.
             scope.$watch('node.updateDate', function(newValue, oldValue){
diff --git a/src/Umbraco.Web.UI.Client/src/common/services/mediahelper.service.js b/src/Umbraco.Web.UI.Client/src/common/services/mediahelper.service.js
index e98a597e76..734dd29cba 100644
--- a/src/Umbraco.Web.UI.Client/src/common/services/mediahelper.service.js
+++ b/src/Umbraco.Web.UI.Client/src/common/services/mediahelper.service.js
@@ -3,7 +3,7 @@
 * @name umbraco.services.mediaHelper
 * @description A helper object used for dealing with media items
 **/
-function mediaHelper(umbRequestHelper, $http, $log) {
+function mediaHelper(umbRequestHelper, $http, $log, $location) {
 
     //container of fileresolvers
     var _mediaFileResolvers = {};
@@ -449,7 +449,29 @@ function mediaHelper(umbRequestHelper, $http, $log) {
                             cropY2: options.crop ? options.crop.y2 : null
                         })),
                 "Failed to retrieve processed image URL for image: " + imagePath);
-        }
+      },
+
+      /**
+        * @ngdoc function
+        * @name umbraco.services.mediaHelper#openSVG
+        * @methodOf umbraco.services.mediaHelper
+        * @function
+        *
+        * @description
+        * Opens an SVG file in a new window as an image file, to prevent any potential XSS exploits.
+        *
+        * @param {string} imagePath File path, ex /media/1234/my-image.svg
+        */
+      openSVG: function (imagePath) {
+        var popup = window.open('', '_blank');
+        var html = '<!DOCTYPE html><body style="background-image: linear-gradient(45deg, #ccc 25%, transparent 25%), linear-gradient(135deg, #ccc 25%, transparent 25%), linear-gradient(45deg, transparent 75%, #ccc 75%), linear-gradient(135deg, transparent 75%, #ccc 75%); background-size:30px 30px; background-position:0 0, 15px 0, 15px -15px, 0px 15px;">'
+          + '<img src="' + imagePath + '"/>'
+          + '<script>history.pushState(null, null,"' + $location.$$absUrl + '");</script></body>';
+
+        popup.document.open();
+        popup.document.write(html);
+        popup.document.close();
+      }
 
     };
 } angular.module('umbraco.services').factory('mediaHelper', mediaHelper);
diff --git a/src/Umbraco.Web.UI.Client/src/views/components/media/umbimagepreview/umb-image-preview.html b/src/Umbraco.Web.UI.Client/src/views/components/media/umbimagepreview/umb-image-preview.html
index 989f8ef093..0918f6dc5b 100644
--- a/src/Umbraco.Web.UI.Client/src/views/components/media/umbimagepreview/umb-image-preview.html
+++ b/src/Umbraco.Web.UI.Client/src/views/components/media/umbimagepreview/umb-image-preview.html
@@ -1,6 +1,6 @@
 <div class="umb-image-preview" ng-controller="umbImagePreviewController as controller">
     <img class="umb-image-preview--image" ng-if="vm.clientSide" ng-init="previewUrl = controller.getClientSideUrl(vm.clientSideData)" ng-src="{{previewUrl}}" alt="{{vm.name}}" />
-    <a ng-if="!vm.clientSide" href="#" ng-href="{{vm.source}}" target="_blank" rel="noopener">
+    <a ng-if="!vm.clientSide" href="" ng-attr-href="{{vm.extension !== 'svg' ? vm.source : undefined}}" ng-click="vm.extension === 'svg' && controller.openSVG(vm.source)" target="_blank" rel="noopener">
         <img class="umb-image-preview--image" ng-init="previewUrl = controller.getThumbnail(vm.source)" ng-src="{{previewUrl}}" alt="{{vm.name}}" />
     </a>
 </div>
diff --git a/src/Umbraco.Web.UI.Client/src/views/components/media/umbimagepreview/umbimagepreview.controller.js b/src/Umbraco.Web.UI.Client/src/views/components/media/umbimagepreview/umbimagepreview.controller.js
index 36eb3958e2..d1f32fb6b5 100644
--- a/src/Umbraco.Web.UI.Client/src/views/components/media/umbimagepreview/umbimagepreview.controller.js
+++ b/src/Umbraco.Web.UI.Client/src/views/components/media/umbimagepreview/umbimagepreview.controller.js
@@ -1,18 +1,16 @@
-
-
-
-
 angular.module("umbraco")
-    .controller("umbImagePreviewController",
-        function (mediaHelper) {
+  .controller("umbImagePreviewController",
+    function (mediaHelper) {
 
-            var vm = this;
+      var vm = this;
 
-            vm.getThumbnail = function(source) {
-                return mediaHelper.getThumbnailFromPath(source) || source;
-            }
-            vm.getClientSideUrl = function(sourceData) {
-                return URL.createObjectURL(sourceData);
-            }
+      vm.getThumbnail = function (source) {
+        return mediaHelper.getThumbnailFromPath(source) || source;
+      }
 
-        });
+      vm.getClientSideUrl = function (sourceData) {
+        return URL.createObjectURL(sourceData);
+      }
+
+      vm.openSVG = (source) => mediaHelper.openSVG(source);
+    });

From c7014e159b93a177b19077cdedcddee93faf180b Mon Sep 17 00:00:00 2001
From: Matt Brailsford <me@mattbrailsford.com>
Date: Thu, 21 Nov 2024 16:19:48 +0100
Subject: [PATCH 9/9] Sort manifest file paths alphabetically (#14466)

* Sort manifest file paths alphabetically

* Update src/Umbraco.Infrastructure/Manifest/ManifestParser.cs

Co-authored-by: Ronald Barendse <ronald@barend.se>

---------

Co-authored-by: Ronald Barendse <ronald@barend.se>
---
 src/Umbraco.Infrastructure/Manifest/ManifestParser.cs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Infrastructure/Manifest/ManifestParser.cs b/src/Umbraco.Infrastructure/Manifest/ManifestParser.cs
index 4dbd6abd40..f43f6852a6 100644
--- a/src/Umbraco.Infrastructure/Manifest/ManifestParser.cs
+++ b/src/Umbraco.Infrastructure/Manifest/ManifestParser.cs
@@ -250,6 +250,11 @@ public class ManifestParser : IManifestParser
             return Array.Empty<string>();
         }
 
-        return Directory.GetFiles(_path, "package.manifest", SearchOption.AllDirectories);
+        var files = Directory.GetFiles(_path, "package.manifest", SearchOption.AllDirectories);
+
+        // Ensure a consistent, alphabetical sorting of paths, because this is not guaranteed to be the same between file systems or OSes
+        Array.Sort(files);
+
+        return files;
     }
 }