servers/ttrss
1
0
Fork 0
mirror of https://tt-rss.org/git/tt-rss.git synced 2024-07-05 13:20:55 +02:00
Code Issues Releases Wiki Activity
10,410 Commits 34 Branches 0 Tags 149 MiB
ee0b66b6bd
Commit Graph

10410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
JustAMacUser
c8ac9dc7ea Remove private scope for class constants. 
This change branches from the merged patch by Sunil Mohan Adapa's for
Debian's package.
 2020-09-18 18:13:18 -04:00
Andrew Dolgov
03a337a660 add basic safe mode which doesn't load any user plugins 2020-09-18 15:48:22 +03:00
Andrew Dolgov
3588d5186e - gettext: merge patch from Sunil Mohan Adapa which rewrites plural parser to not use eval() 
- fix typo in aforementioned patch which caused plurals to never load
- update code again to newer PHP constructor syntax
 2020-09-18 14:05:34 +03:00
Andrew Dolgov
4f5ae94b62 prevent source errors from crashing gulp watch 2020-09-18 12:14:37 +03:00
Andrew Dolgov
f3803c9e60 add eslint to package.json 2020-09-17 20:47:01 +03:00
Andrew Dolgov
5c1f70348e add less to package.json 2020-09-17 20:45:21 +03:00
Andrew Dolgov
4efc3d7b3f validate_url: relax requirements for URLs, limit additional port/loopback filtering to fetch_file_contents() 2020-09-17 20:20:23 +03:00
Andrew Dolgov
a4525d31b2 replace FALSE with false so that static analyzer shuts up about it 2020-09-17 19:02:27 +03:00
Andrew Dolgov
57fac84516 rename gettext.inc to gettext.inc.php (cosmetic) 2020-09-17 18:56:29 +03:00
Andrew Dolgov
d8619b9a84 auth_internal: cast OTP code to integer before trying to check it 2020-09-17 16:50:34 +03:00
Andrew Dolgov
c25edd0024 fetch_file_contents: validate effective URL (after redirects) without CURL 2020-09-17 16:17:33 +03:00
Andrew Dolgov
27e695436f fetch_file_contents: validate effective URL (after redirects) if using CURL 2020-09-17 15:53:13 +03:00
Andrew Dolgov
afa0023c51 don't try to update manually disabled feeds even if they haven't been updated before or are marked for a manual update 2020-09-17 15:40:50 +03:00
Andrew Dolgov
f41fdef389 add gulp task for less compilation 2020-09-17 13:30:52 +03:00
Andrew Dolgov
5415a0e033 add makefile for less to css compilation 2020-09-17 12:15:49 +03:00
Andrew Dolgov
37f41a5246 forgotpass: use type strict comparison for reset token 2020-09-17 11:49:27 +03:00
Andrew Dolgov
5a7e7e1367 don't try to call hash_equals() on unset user token 2020-09-17 10:20:55 +03:00
Andrew Dolgov
f72e6947d5 use hash_equals() correctly 2020-09-17 10:04:00 +03:00
Andrew Dolgov
e3adacc588 fix several cases of Db class being invoked as wrong name (as DB) 2020-09-17 09:18:03 +03:00
Andrew Dolgov
16c86e2fc3 replace some plain http links with https 2020-09-17 09:02:30 +03:00
Andrew Dolgov
a817d3794d * use get_random_bytes() for CSRF token 
* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
 2020-09-17 08:59:18 +03:00
Andrew Dolgov
0757ad0406 auth_internal: use type-strict comparison when checking OTP code 2020-09-17 08:46:57 +03:00
Andrew Dolgov
89d53a7f49 fix typo in previous 2020-09-17 08:45:17 +03:00
Andrew Dolgov
1f79d614c4 fix OTP QR code not displayed because of CSRF token passed as a query 
parameter
use type-strict comparison when validating CSRF token on the backend
 2020-09-17 08:43:39 +03:00
Andrew Dolgov
6a4b6cf603 amend previous to 127/8 subnet 2020-09-17 07:37:48 +03:00
Andrew Dolgov
213d6330b1 fetch_file_contents: resolve requested hosts and check for possible 
loopback address
 2020-09-17 07:36:47 +03:00
Andrew Dolgov
88c4dc405e build_url: also put query parameters and fragment in resulting URL 
rewrite_relative_url: simplify handling of relative URLs
 2020-09-16 21:41:05 +03:00
Andrew Dolgov
9d3c794983 subscribe: allow pre-filling feed URL if passed via query string 2020-09-16 17:20:31 +03:00
Andrew Dolgov
da5af2fae0 cached_url: block SVG images because of potential javascript inside 2020-09-16 16:25:20 +03:00
Andrew Dolgov
33fdde249e pass CSRF token to opml import and feed icon replace dialogs 2020-09-16 06:43:55 +03:00
Andrew Dolgov
f693ebab21 fix default password nag dialog, load via xhr 2020-09-16 06:38:41 +03:00
Andrew Dolgov
77faa5d523 editFeed: only try to reload feed tree in preferences if its actually there 2020-09-15 18:55:34 +03:00
Andrew Dolgov
3f9390c45f comments link: load in new tab 2020-09-15 18:49:03 +03:00
Andrew Dolgov
42b5564d1e editarticletags: load dialog via XHR 2020-09-15 18:47:19 +03:00
Andrew Dolgov
0706a328a4 handler: default base csrf_ignore() to false 2020-09-15 18:16:33 +03:00
Andrew Dolgov
0a142912d3 backend handler: require CSRF, remove obsolete code 2020-09-15 18:08:08 +03:00
Andrew Dolgov
154417d80b public/logout: require valid CSRF token 2020-09-15 16:59:11 +03:00
Andrew Dolgov
cbcb10a272 Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection 2020-09-15 16:28:09 +03:00
Andrew Dolgov
8080c525fd - backend: require CSRF token to be passed via POST 
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
 2020-09-15 16:12:53 +03:00
Andrew Dolgov
aeaafefa07 don't pass csrf token as a GET parameter to Article 2020-09-15 16:03:09 +03:00
Andrew Dolgov
e670ac2ee5 require CSRF token for Article/redirect 2020-09-15 15:35:50 +03:00
Andrew Dolgov
7e50c6c4b5 - enable CSRF support earlier 
- remove rpc/sanityCheck from CSRF-excluded calls
 2020-09-15 15:32:17 +03:00
Andrew Dolgov
91e1542a82 af_proxy_http: require separate token to access imgproxy 2020-09-15 10:59:57 +03:00
Andrew Dolgov
1621abcffc rewrite_relative_url: validate resulting absolutized URLs 2020-09-15 10:41:57 +03:00
Andrew Dolgov
aa89ea7769 validate_url: only allow safe ports (80, 443), disallow access to loopback 2020-09-15 10:39:09 +03:00
Andrew Dolgov
6c02fea641 validate_url: add clean() 2020-09-15 08:45:15 +03:00
Andrew Dolgov
4abc7d7898 rename base64_img() to image_to_base64() 2020-09-15 08:05:01 +03:00
Andrew Dolgov
79f102c25d af_proxy_http: never print received data directly, always redirect to cached_url 
cache/getUrl: basename() passed filename just in case
 2020-09-15 08:02:28 +03:00
Andrew Dolgov
1ee458b5c1 cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE hooks 2020-09-15 07:54:46 +03:00
Andrew Dolgov
0758397dd8 af_redditimgur: don't add embedded blank gif image for rewritten videos 2020-09-15 06:55:22 +03:00