servers/ttrss
1
0
Fork 0
mirror of https://tt-rss.org/git/tt-rss.git synced 2024-06-26 11:59:02 +02:00
Code Issues Releases Wiki Activity
9,981 Commits 34 Branches 0 Tags 149 MiB
33fdde249e
Commit Graph

9981 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andrew Dolgov
33fdde249e pass CSRF token to opml import and feed icon replace dialogs 2020-09-16 06:43:55 +03:00
Andrew Dolgov
f693ebab21 fix default password nag dialog, load via xhr 2020-09-16 06:38:41 +03:00
Andrew Dolgov
77faa5d523 editFeed: only try to reload feed tree in preferences if its actually there 2020-09-15 18:55:34 +03:00
Andrew Dolgov
3f9390c45f comments link: load in new tab 2020-09-15 18:49:03 +03:00
Andrew Dolgov
42b5564d1e editarticletags: load dialog via XHR 2020-09-15 18:47:19 +03:00
Andrew Dolgov
0706a328a4 handler: default base csrf_ignore() to false 2020-09-15 18:16:33 +03:00
Andrew Dolgov
0a142912d3 backend handler: require CSRF, remove obsolete code 2020-09-15 18:08:08 +03:00
Andrew Dolgov
154417d80b public/logout: require valid CSRF token 2020-09-15 16:59:11 +03:00
Andrew Dolgov
cbcb10a272 Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection 2020-09-15 16:28:09 +03:00
Andrew Dolgov
8080c525fd - backend: require CSRF token to be passed via POST 
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
 2020-09-15 16:12:53 +03:00
Andrew Dolgov
aeaafefa07 don't pass csrf token as a GET parameter to Article 2020-09-15 16:03:09 +03:00
Andrew Dolgov
e670ac2ee5 require CSRF token for Article/redirect 2020-09-15 15:35:50 +03:00
Andrew Dolgov
7e50c6c4b5 - enable CSRF support earlier 
- remove rpc/sanityCheck from CSRF-excluded calls
 2020-09-15 15:32:17 +03:00
Andrew Dolgov
91e1542a82 af_proxy_http: require separate token to access imgproxy 2020-09-15 10:59:57 +03:00
Andrew Dolgov
1621abcffc rewrite_relative_url: validate resulting absolutized URLs 2020-09-15 10:41:57 +03:00
Andrew Dolgov
aa89ea7769 validate_url: only allow safe ports (80, 443), disallow access to loopback 2020-09-15 10:39:09 +03:00
Andrew Dolgov
6c02fea641 validate_url: add clean() 2020-09-15 08:45:15 +03:00
Andrew Dolgov
4abc7d7898 rename base64_img() to image_to_base64() 2020-09-15 08:05:01 +03:00
Andrew Dolgov
79f102c25d af_proxy_http: never print received data directly, always redirect to cached_url 
cache/getUrl: basename() passed filename just in case
 2020-09-15 08:02:28 +03:00
Andrew Dolgov
1ee458b5c1 cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE hooks 2020-09-15 07:54:46 +03:00
Andrew Dolgov
0758397dd8 af_redditimgur: don't add embedded blank gif image for rewritten videos 2020-09-15 06:55:22 +03:00
Andrew Dolgov
4a074111b5 user preferences: forbid < and > characters when changing passwords (were silently stripped on save because of clean()) 2020-09-14 20:53:00 +03:00
Andrew Dolgov
da98ba662e public/subscribe: require valid CSRF token when validating the form 2020-09-14 20:21:22 +03:00
Andrew Dolgov
b4cb67e77f remove csrf token from rpc method sanityCheck 2020-09-14 20:00:01 +03:00
Andrew Dolgov
c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http 
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
 2020-09-14 19:46:52 +03:00
Andrew Dolgov
5b17fdc362 Merge branch 'weblate-integration' 2020-09-11 09:35:15 +03:00
Andrew Dolgov
a922b3cc6d order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins to override built-in sorting 2020-09-11 07:48:22 +03:00
Andrew Dolgov
67f02e2aa7 properly return counters for labels with zero assigned articles 
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766
 2020-08-29 08:41:52 +03:00
fox
5497a137de Merge branch 'master' of rodneys_mission/tt-rss into master 2020-08-14 19:21:31 +00:00
Rodney Stromlund
88ced02622 Silence php 7.2 error message generated in session_set_cookie_params. 2020-08-14 10:47:46 -05:00
Andrew Dolgov
ddf9227dc4 pluginhost: allow overriding default sort modes via HOOK_HEADLINES_CUSTOM_SORT_MAP etc 2020-08-13 12:23:27 +03:00
Andrew Dolgov
dfa65e9374 move order_by to SQL override logic into a separate function 2020-08-13 11:52:32 +03:00
Andrew Dolgov
48be005774 instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp 2020-08-11 13:29:09 +03:00
Andrew Dolgov
05a47e5cf4 OPML: export/import per-feed purge interval 2020-08-10 11:57:39 +03:00
fox
2b50aaed61 Merge branch 'master' of e1e0/tt-rss into master 2020-08-01 15:44:04 +00:00
Paco Esteban
c4ee0e25a1 more int/string type mismatches on getCategories 2020-08-01 16:30:10 +02:00
fox
86ba8a96c4 Merge branch 'master' of e1e0/tt-rss into master 2020-08-01 05:52:58 +00:00
Marek Pavelka
f99de985c1 Translated using Weblate (Czech) 
Currently translated at 100.0% (727 of 727 strings)

Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/cs/
 2020-07-31 16:23:42 +00:00
Paco Esteban
3da618e0ea make sure all ints are casted (to int) on getCategories 2020-07-31 16:15:16 +02:00
Jan Espen Pedersen
68ccc8f636 Translated using Weblate (Norwegian Bokmål) 
Currently translated at 44.7% (325 of 727 strings)

Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
 2020-07-19 16:40:06 +00:00
fox
376fe6271d Merge branch 'master' of rodneys_mission/tt-rss-fix-sanity-urls into master 2020-07-13 14:41:05 +00:00
Rodney Stromlund
376dce02bb Update wiki and forums links in error message. 2020-07-13 09:06:59 -05:00
fox
3b033a17f4 Merge branch 'feed-tree-localstorage' of nanaya/tt-rss into master 2020-07-09 18:02:02 +00:00
nanaya
8d8affdc45 Store FeedTree data in localStorage 
Patching internal functions of dijit.Tree as they don't provide option on where to store the data.

It stores to cookies by default but the data can get quite big for hundreds of feeds and exceeds cookies size limit.

Not to mention it'll cause the cookie to be sent during any request with nothing handling it server side and just wasting bandwidth.

This patch will also migrate current data in cookie to local storage accordingly.
 2020-07-09 01:52:46 +09:00
Jan Espen Pedersen
6868b41cd5 Translated using Weblate (Norwegian Bokmål) 
Currently translated at 44.7% (325 of 727 strings)

Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
 2020-07-03 22:17:44 +00:00
Anonymous
ec970a6bc8 Translated using Weblate (Norwegian Bokmål) 
Currently translated at 44.7% (325 of 727 strings)

Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
 2020-07-03 22:17:43 +00:00
Jan Espen Pedersen
2d0424bfcf Translated using Weblate (Norwegian Bokmål) 
Currently translated at 44.4% (323 of 727 strings)

Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
 2020-07-02 21:19:39 +00:00
fox
68b78ecd3d Merge branch 'bugfix/invalid-opml' of wn/tt-rss into master 2020-07-01 14:48:02 +00:00
Andrew Dolgov
b6372a846d when exporting OPML via web UI, add user login to the filename 2020-07-01 10:02:24 +03:00
Andrew Dolgov
fa653f5a43 prefs: show disabled filters properly on mysql 2020-07-01 09:49:53 +03:00