servers/ttrss
1
0
Fork 0
mirror of https://tt-rss.org/git/tt-rss.git synced 2024-07-01 12:40:50 +02:00
Code Issues Releases Wiki Activity
10,466 Commits 34 Branches 0 Tags 149 MiB
94560132dd
Commit Graph

18 Commits

Author SHA1 Message Date
Andrew Dolgov
660a1bbe01 * switch to xhr.post() almost everywhere 
* call App.handlerpcjson() automatically on json request (if possible)
 * show net/log indicators in prefs
 2021-02-19 13:44:56 +03:00
Andrew Dolgov
ee0b66b6bd af_proxy_http: markup cleanup 2021-02-18 12:13:13 +03:00
Andrew Dolgov
e4609c18ef * add (disabled) shortcut syntax for plugin methods 
* add controls shortcut for pluginhandler tags
 * add similar shortcut for frontend
 * allow plugins to selectively exclude their methods from CSRF checking
 2021-02-17 21:44:21 +03:00
Andrew Dolgov
35b6d63289 af_proxy_http: don't try to proxy back to ourselves 2021-02-17 16:27:52 +03:00
Andrew Dolgov
f58c49beaa replace a few more controls to new style 2021-02-16 18:50:18 +03:00
Andrew Dolgov
1f43d7916c replace print_hidden with hidden_tag 2021-02-16 14:32:06 +03:00
Andrew Dolgov
166f2d4666 diskcache: unify naming 2021-02-15 16:11:30 +03:00
Andrew Dolgov
7874f6ac58 remove PHPMD.UnusedFormalParameter 2021-02-08 19:42:10 +03:00
Andrew Dolgov
403dca154c initial WIP for php8; bump php version requirement to 7.0 2021-02-05 23:41:32 +03:00
JustAMacUser
65b3926ae5 Ensure proxy_all setting is saved in database. 2020-10-11 01:31:30 -04:00
Andrew Dolgov
74568df4ff remove a lot of stuff from global context (functions.php), add a few helper classes instead 2020-09-22 09:04:33 +03:00
Andrew Dolgov
a817d3794d * use get_random_bytes() for CSRF token 
* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
 2020-09-17 08:59:18 +03:00
Andrew Dolgov
91e1542a82 af_proxy_http: require separate token to access imgproxy 2020-09-15 10:59:57 +03:00
Andrew Dolgov
79f102c25d af_proxy_http: never print received data directly, always redirect to cached_url 
cache/getUrl: basename() passed filename just in case
 2020-09-15 08:02:28 +03:00
Andrew Dolgov
c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http 
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
 2020-09-14 19:46:52 +03:00
Andrew Dolgov
10c63ed582 pluginhost: add helper methods to get private/public pluginmethod endpoint URLs 2019-08-15 20:23:45 +03:00
Andrew Dolgov
bdf29856fb fix several leftover mentions of old (renamed) class name, duh 2019-08-15 17:12:59 +03:00
Andrew Dolgov
de5669f723 af_zz_imgproxy: rename to af_proxy_http, use priority hook loader 2019-08-15 16:27:53 +03:00