Andrew Dolgov
0706a328a4
handler: default base csrf_ignore() to false
2020-09-15 18:16:33 +03:00
Andrew Dolgov
0a142912d3
backend handler: require CSRF, remove obsolete code
2020-09-15 18:08:08 +03:00
Andrew Dolgov
154417d80b
public/logout: require valid CSRF token
2020-09-15 16:59:11 +03:00
Andrew Dolgov
cbcb10a272
Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection
2020-09-15 16:28:09 +03:00
Andrew Dolgov
8080c525fd
- backend: require CSRF token to be passed via POST
...
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
2020-09-15 16:12:53 +03:00
Andrew Dolgov
aeaafefa07
don't pass csrf token as a GET parameter to Article
2020-09-15 16:03:09 +03:00
Andrew Dolgov
e670ac2ee5
require CSRF token for Article/redirect
2020-09-15 15:35:50 +03:00
Andrew Dolgov
7e50c6c4b5
- enable CSRF support earlier
...
- remove rpc/sanityCheck from CSRF-excluded calls
2020-09-15 15:32:17 +03:00
Andrew Dolgov
91e1542a82
af_proxy_http: require separate token to access imgproxy
2020-09-15 10:59:57 +03:00
Andrew Dolgov
1621abcffc
rewrite_relative_url: validate resulting absolutized URLs
2020-09-15 10:41:57 +03:00
Andrew Dolgov
aa89ea7769
validate_url: only allow safe ports (80, 443), disallow access to loopback
2020-09-15 10:39:09 +03:00
Andrew Dolgov
6c02fea641
validate_url: add clean()
2020-09-15 08:45:15 +03:00
Andrew Dolgov
4abc7d7898
rename base64_img() to image_to_base64()
2020-09-15 08:05:01 +03:00
Andrew Dolgov
79f102c25d
af_proxy_http: never print received data directly, always redirect to cached_url
...
cache/getUrl: basename() passed filename just in case
2020-09-15 08:02:28 +03:00
Andrew Dolgov
1ee458b5c1
cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE hooks
2020-09-15 07:54:46 +03:00
Andrew Dolgov
0758397dd8
af_redditimgur: don't add embedded blank gif image for rewritten videos
2020-09-15 06:55:22 +03:00
Andrew Dolgov
4a074111b5
user preferences: forbid < and > characters when changing passwords (were silently stripped on save because of clean())
2020-09-14 20:53:00 +03:00
Andrew Dolgov
da98ba662e
public/subscribe: require valid CSRF token when validating the form
2020-09-14 20:21:22 +03:00
Andrew Dolgov
b4cb67e77f
remove csrf token from rpc method sanityCheck
2020-09-14 20:00:01 +03:00
Andrew Dolgov
c3d14e1fa5
- fix multiple vulnerabilities in af_proxy_http
...
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
2020-09-14 19:46:52 +03:00
Andrew Dolgov
5b17fdc362
Merge branch 'weblate-integration'
2020-09-11 09:35:15 +03:00
Andrew Dolgov
a922b3cc6d
order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins to override built-in sorting
2020-09-11 07:48:22 +03:00
Andrew Dolgov
67f02e2aa7
properly return counters for labels with zero assigned articles
...
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766
2020-08-29 08:41:52 +03:00
fox
5497a137de
Merge branch 'master' of rodneys_mission/tt-rss into master
2020-08-14 19:21:31 +00:00
Rodney Stromlund
88ced02622
Silence php 7.2 error message generated in `session_set_cookie_params`.
2020-08-14 10:47:46 -05:00
Andrew Dolgov
ddf9227dc4
pluginhost: allow overriding default sort modes via HOOK_HEADLINES_CUSTOM_SORT_MAP etc
2020-08-13 12:23:27 +03:00
Andrew Dolgov
dfa65e9374
move order_by to SQL override logic into a separate function
2020-08-13 11:52:32 +03:00
Andrew Dolgov
48be005774
instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp
2020-08-11 13:29:09 +03:00
Andrew Dolgov
05a47e5cf4
OPML: export/import per-feed purge interval
2020-08-10 11:57:39 +03:00
fox
2b50aaed61
Merge branch 'master' of e1e0/tt-rss into master
2020-08-01 15:44:04 +00:00
Paco Esteban
c4ee0e25a1
more int/string type mismatches on getCategories
2020-08-01 16:30:10 +02:00
fox
86ba8a96c4
Merge branch 'master' of e1e0/tt-rss into master
2020-08-01 05:52:58 +00:00
Marek Pavelka
f99de985c1
Translated using Weblate (Czech)
...
Currently translated at 100.0% (727 of 727 strings)
Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/cs/
2020-07-31 16:23:42 +00:00
Paco Esteban
3da618e0ea
make sure all ints are casted (to int) on getCategories
2020-07-31 16:15:16 +02:00
Jan Espen Pedersen
68ccc8f636
Translated using Weblate (Norwegian Bokmål)
...
Currently translated at 44.7% (325 of 727 strings)
Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
2020-07-19 16:40:06 +00:00
fox
376fe6271d
Merge branch 'master' of rodneys_mission/tt-rss-fix-sanity-urls into master
2020-07-13 14:41:05 +00:00
Rodney Stromlund
376dce02bb
Update wiki and forums links in error message.
2020-07-13 09:06:59 -05:00
fox
3b033a17f4
Merge branch 'feed-tree-localstorage' of nanaya/tt-rss into master
2020-07-09 18:02:02 +00:00
nanaya
8d8affdc45
Store FeedTree data in localStorage
...
Patching internal functions of dijit.Tree as they don't provide option on where to store the data.
It stores to cookies by default but the data can get quite big for hundreds of feeds and exceeds cookies size limit.
Not to mention it'll cause the cookie to be sent during any request with nothing handling it server side and just wasting bandwidth.
This patch will also migrate current data in cookie to local storage accordingly.
2020-07-09 01:52:46 +09:00
Jan Espen Pedersen
6868b41cd5
Translated using Weblate (Norwegian Bokmål)
...
Currently translated at 44.7% (325 of 727 strings)
Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
2020-07-03 22:17:44 +00:00
Anonymous
ec970a6bc8
Translated using Weblate (Norwegian Bokmål)
...
Currently translated at 44.7% (325 of 727 strings)
Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
2020-07-03 22:17:43 +00:00
Jan Espen Pedersen
2d0424bfcf
Translated using Weblate (Norwegian Bokmål)
...
Currently translated at 44.4% (323 of 727 strings)
Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
2020-07-02 21:19:39 +00:00
fox
68b78ecd3d
Merge branch 'bugfix/invalid-opml' of wn/tt-rss into master
2020-07-01 14:48:02 +00:00
Andrew Dolgov
b6372a846d
when exporting OPML via web UI, add user login to the filename
2020-07-01 10:02:24 +03:00
Andrew Dolgov
fa653f5a43
prefs: show disabled filters properly on mysql
2020-07-01 09:49:53 +03:00
Andrew Dolgov
2996a3942f
prefs: show root of filter tree as enabled so it's not grayed out
2020-07-01 09:48:27 +03:00
wn_
614d3ac1bf
Properly check if OPML file was loaded during import.
2020-06-27 15:06:08 -05:00
Andrew Dolgov
c352e872e9
core: pass found enclosures to HOOK_ARTICLE_FILTER
...
af_redditimgur: remove enclosures if we found something to embed because it's going to be a low-res thumbnail
2020-06-24 22:54:14 +03:00
Andrew Dolgov
6eb94f1e13
better support for image srcset attributes as discussed in https://community.tt-rss.org/t/problem-with-img-srcset/3519
2020-06-15 11:58:59 +03:00
Andrew Dolgov
697418f863
more eslint fixes
2020-06-05 07:54:32 +03:00