Commit Graph

254 Commits

Author SHA1 Message Date
Andrew Dolgov 37f41a5246 forgotpass: use type strict comparison for reset token 2020-09-17 11:49:27 +03:00
Andrew Dolgov 1f79d614c4 fix OTP QR code not displayed because of CSRF token passed as a query
parameter
use type-strict comparison when validating CSRF token on the backend
2020-09-17 08:43:39 +03:00
Andrew Dolgov 9d3c794983 subscribe: allow pre-filling feed URL if passed via query string 2020-09-16 17:20:31 +03:00
Andrew Dolgov 154417d80b public/logout: require valid CSRF token 2020-09-15 16:59:11 +03:00
Andrew Dolgov 8080c525fd - backend: require CSRF token to be passed via POST
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
2020-09-15 16:12:53 +03:00
Andrew Dolgov da98ba662e public/subscribe: require valid CSRF token when validating the form 2020-09-14 20:21:22 +03:00
Andrew Dolgov c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
2020-09-14 19:46:52 +03:00
Rodney Stromlund 88ced02622 Silence php 7.2 error message generated in `session_set_cookie_params`. 2020-08-14 10:47:46 -05:00
Andrew Dolgov dfa65e9374 move order_by to SQL override logic into a separate function 2020-08-13 11:52:32 +03:00
Andrew Dolgov 48be005774 instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp 2020-08-11 13:29:09 +03:00
Andrew Dolgov 1f2a721905 allow overriding built-in templates via templates.local 2020-03-13 14:40:35 +03:00
Andrew Dolgov bdb1e475e7 external subscribe dialog: support dark theme 2020-02-27 13:40:32 +03:00
Andrew Dolgov b2876f6c72 share anything dialog: support dark theme 2020-02-27 13:38:24 +03:00
Andrew Dolgov 4ab3854aed don't generate default.css, replace with themes/light.css as a default root CSS file 2020-02-22 16:22:44 +03:00
Andrew Dolgov aa56bcaf44 support night mode when using share by URL 2020-01-19 10:51:08 +03:00
Andrew Dolgov f47998f569 generate_syndicated_feed: use local media in generated feeds if it is available 2020-01-13 17:02:14 +03:00
Andrew Dolgov 72d0fac80c remove version.php and VERSION global constant, do version-related things in a slightly less ridiculous way 2019-12-18 14:27:40 +03:00
Andrew Dolgov ef514bc4bd add notifications for mail and password changes
update and shorten some other message templates
2019-10-09 09:04:51 +03:00
Rodney Stromlund 958c4dc124 Removed extra php end tag that was showing in the page title 2019-09-17 09:11:30 -05:00
Andrew Dolgov 3e4701116d af_readability: add missing file 2019-08-16 15:29:24 +03:00
Andrew Dolgov 0e3b71c535 public/pluginhandler: log invalid requests 2019-08-15 17:17:25 +03:00
Andrew Dolgov d4df57e1a4 Article::get_article_image() - also return stream URI if possible 2019-08-14 17:04:14 +03:00
Andrew Dolgov 68e2b05f65 * move get_article_image to Article; implement better og:image detection (similar to android app)
* pass article image to API clients in headlines row object
2019-08-14 16:55:38 +03:00
Andrew Dolgov 39f459eb04 public/cached_url: forbid sending files with extensions 2019-08-14 10:45:46 +03:00
Andrew Dolgov 3c075bfd21 DiskCache: more strict checking for input filenames, getUrl() is no longer static 2019-08-14 09:49:18 +03:00
Andrew Dolgov fdb6066bf6 * HOOK_ENCLOSURE_ENTRY: pass article_id to handler
* DiskCache: multiple fixes; support isWritable() for cache entries, set content-disposition for send()
* public/cached_url: allow selecting files from sub-caches other than images
* plugins/Cache_Starred_Images: rework to use DiskCache, can be enabled per-user, properly handles article enclosures, etc
2019-08-13 16:40:21 +03:00
Andrew Dolgov 133c2b482b move rewrite_cached_urls to DiskCache::rewriteUrls() 2019-08-13 12:46:57 +03:00
Andrew Dolgov b1dd38f880 add DiskCache.getUrl() and use it in a bunch of places 2019-08-13 12:39:21 +03:00
Andrew Dolgov ea30061cce public: fix share() returning random unshared articles if uuid is not given 2019-07-05 16:02:51 +03:00
Andrew Dolgov 4fa9aee4e7 move several more global functions to more appropriate classes 2019-06-20 08:14:06 +03:00
Andrew Dolgov 6d746453c7 get_feeds_from_html: remove XML preamble hack
move several related helper functions to Feeds class
2019-06-20 07:51:48 +03:00
Andrew Dolgov 671f4cee65 domdocument: remove old meta charset unicode hacks, replace with shorter xml preamble utf8 hack (on loadhtml where it makes sense)
af_readability: better (?) charset hack for non-unicode pages
2019-03-21 21:08:02 +03:00
Andrew Dolgov 6ae0a3dd3e share: further improve og:description excerpt logic, minor layout stuff 2019-03-19 20:41:38 +03:00
Andrew Dolgov 74e8661351 share: decode entities in metadata fields so that length limits would make more sense 2019-03-19 15:53:32 +03:00
Andrew Dolgov 19f162dbe3 css: insensitive -> text-muted 2019-03-08 10:11:57 +03:00
Andrew Dolgov 44858ca2dd Merge branch 'master' of git.fakecake.org:tt-rss 2019-03-07 06:45:04 +03:00
Andrew Dolgov e91223ec7d update CLI schema updater with newer warnings 2019-03-07 06:44:59 +03:00
Andrew Dolgov 609662d48c oops, fix typo 2019-03-06 22:48:10 +03:00
Andrew Dolgov 91cfd9c391 dbupdater: add mysql transaction warning 2019-03-06 22:46:31 +03:00
Andrew Dolgov 0881d0a00d some dbupdater improvements; fix schema 136 syntax for mysql 2019-03-06 19:42:27 +03:00
Andrew Dolgov 38e01270d8 archived feeds: expire old entries (schema bump) 2019-03-06 19:06:05 +03:00
Andrew Dolgov ef6d2b8a4e update notifications to make them more visible
cleanup some minor stuff in pref-users
2019-03-05 20:09:06 +03:00
Andrew Dolgov 5b3a73e574 login: switch to absolute redirect urls 2019-03-04 20:38:39 +03:00
Andrew Dolgov 925065b1fe Revert "login: only allow relative URLs in return="
This reverts commit c68ac04020.
2019-03-04 07:02:58 +03:00
Andrew Dolgov c68ac04020 login: only allow relative URLs in return= 2019-03-03 07:53:42 +03:00
Andrew Dolgov cc57ed3775 public/subscribe: add basic dialog to enter feed urls 2019-03-03 06:18:19 +03:00
Andrew Dolgov 54c1b5c611 fill in some missing doctypes; use short doctype where it wasn't 2019-02-23 13:49:40 +03:00
Andrew Dolgov d60038d48b simplify some public.php prompts; prevent from submitting forgotpass form repeatedly if check succeeds 2019-02-21 12:50:15 +03:00
Andrew Dolgov 6701497879 public.php: markup cleanup 2019-02-20 13:12:55 +03:00
Andrew Dolgov be322d6fc8 cleanup sharepopup dialog 2019-02-20 13:05:12 +03:00
Andrew Dolgov d9e20f8b16 update external subscribe dialog 2019-02-20 12:32:52 +03:00
Andrew Dolgov 5ce55faa3b installer: reduce margins; misc fixes 2019-02-19 21:23:03 +03:00
Andrew Dolgov 420e71280a dbupdater: dojoify, add some missing translations 2019-02-19 20:55:02 +03:00
Andrew Dolgov f7a4a45bde pwd reset: use dijit controls 2019-02-19 20:43:45 +03:00
Andrew Dolgov 59df261fb8 forgotpass: slightly better anti-bot protection 2019-02-19 20:25:48 +03:00
Andrew Dolgov 8cd7f31bde utility css updates 2019-02-19 19:46:09 +03:00
Andrew Dolgov c11f32ac38 center and rework some utility screens 2019-02-19 14:59:29 +03:00
Andrew Dolgov b1f9ebe46e get_article_image: ignore data: schema images, other minor fixes 2019-01-10 08:42:31 +03:00
Andrew Dolgov e70d42237a edit options after subscribe: use correct method name 2018-12-25 16:22:12 +03:00
Andrew Dolgov d0d05e4079 zoom mode: hide .attachments 2018-12-10 07:20:13 +03:00
Andrew Dolgov 6a6af964df feed template, ARTICLE_OG_IMAGE: set as optional 2018-12-09 17:18:29 +03:00
Andrew Dolgov 851f62dc4a syndicated feeds:
1. properly reset enclosure template variables if there's no enclosures
2. add ARTICLE_OG_IMAGE which sets flavor image for article using common code with article render etc
2018-12-09 17:07:17 +03:00
Andrew Dolgov b2c079893b move Article::format_article() to Handler_Public 2018-12-09 11:13:02 +03:00
Andrew Dolgov 966fe6d612 #sharepopup: update css 2018-12-09 10:56:39 +03:00
Andrew Dolgov 19e24b4fe2 force cast profile id to integer when assigning to session variable 2018-12-06 07:08:54 +03:00
Andrew Dolgov 29c890b495 login form: use dojo, remove profile hacks 2018-12-04 23:17:35 +03:00
Andrew Dolgov 79c5035920 reset password: use updated mailer parameters properly 2018-11-26 12:44:36 +03:00
Andrew Dolgov 57932e1837 remove PHPMailer and related directives from config.php-dist; add pluggable Mailer class 2018-11-22 14:45:14 +03:00
Andrew Dolgov 253dbd4856 generate_syndicated_feed: add support for virtual feeds provided by plugins 2018-11-07 14:21:39 +03:00
Andrew Dolgov 5f66f872b6 fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks 2018-10-16 14:07:42 +03:00
Andrew Dolgov f8fc1ac543 login: check for stale session in login handler, instead of authenticate_user() 2018-10-16 11:39:12 +03:00
Andrew Dolgov f730d7bb0a another attempt to enforce session ID regeneration on login 2018-10-16 09:11:32 +03:00
Andrew Dolgov 65e98f4086 force regenerate session id on successful login, remove previous blank SID check 2018-10-15 15:47:50 +03:00
Andrew Dolgov 88adf3da1b send_local_file: add application/octet-stream hack
cached_url: return original requested filename to save as
2018-08-16 12:16:51 +03:00
Andrew Dolgov e6532439d6 force strip_tags() on all user input unless explicitly allowed 2017-12-03 23:35:38 +03:00
Andrew Dolgov df5d2a0665 pluginhost: do not connect via legacy DB api until requested
log all initiated legacy database connections
2017-12-03 14:49:18 +03:00
Andrew Dolgov b51d44a5e6 further stylesheet simplification related fixes (2) 2017-12-03 13:26:26 +03:00
Andrew Dolgov 09bc54c690 further stylesheet simplification related fixes 2017-12-03 13:25:34 +03:00
Andrew Dolgov 5e68e24679 css/less updates 2017-12-03 12:50:07 +03:00
Andrew Dolgov 187abfe732 main classes: remove sql_bool_to_bool() kludge 2017-12-03 09:35:59 +03:00
Andrew Dolgov 1d92297a96 dbupdater: use PDO 2017-12-02 01:28:30 +03:00
Andrew Dolgov cb13089af1 public: use PDO headlines result (2) 2017-12-01 20:57:55 +03:00
Andrew Dolgov dc393a580b public: use PDO headlines result 2017-12-01 20:57:05 +03:00
Andrew Dolgov 1271407eea public: partial conversion to PDO, misc fixes 2017-12-01 18:57:34 +03:00
Andrew Dolgov 9dd336a2c3 generate base css files using lessc 2017-11-29 18:55:12 +03:00
Andrew Dolgov 2352c320c2 fix possible sql injection in public/forgotpass 2017-11-20 08:48:18 +03:00
Gilles Grandou 81d96c0dee makes 'order by title' to sort by title and by ascending date
* this allows to chronologically browse all articles with the
  same title.
2017-10-09 22:50:03 +02:00
Andrew Dolgov 8b73bd28d8 remove apache-specific x-sendfile stuff
implement a hook (HOOK_SEND_LOCAL_FILE) which plugins may use to send files
via httpd-specific implementation to increase performance typically on larger files
2017-10-08 17:14:56 +03:00
Andrew Dolgov b2d42e960b replace some usages of SELF_URL_PATH with get_self_url_prefix() 2017-07-06 23:01:44 +03:00
Andrew Dolgov 5b6ea1ef91 remove pubsubhubbub: dead 2017-05-16 10:41:20 +03:00
Andrew Dolgov 2ed0d6c433 move counter cache to a separate class
fix references to get_article_tags
2017-05-04 15:22:57 +03:00
Andrew Dolgov aeb1abedb2 move a bunch of functions into Feeds/Article namespaces
+       static function catchupArticlesById($ids, $cmode, $owner_uid = false) {
+       static function getLastArticleId() {
+       static function queryFeedHeadlines($params) {
+       static function getParentCategories($cat, $owner_uid) {
+       static function getChildCategories($cat, $owner_uid) {

move the rest of functions2.php back to functions.php as it is of more manageable size, remove the former
2017-05-04 15:13:02 +03:00
Andrew Dolgov a230bf88a9 move to Article:
+       static function purge_orphans($do_output = false) {

move to Feeds

+       static function getGlobalUnread($user_id = false) {
+       static function getCategoryTitle($cat_id) {
+       static function getLabelUnread($label_id, $owner_uid = false) {
2017-05-04 15:00:21 +03:00
Andrew Dolgov 86a8351ca2 move the following to Feeds:
+       static function catchup_feed($feed, $cat_view, $owner_uid = false, $mode = 'all', $search = false) {
+       static function getFeedArticles($feed, $is_cat = false, $unread_only = false,
+       static function subscribe_to_feed($url, $cat_id = 0,
+       static function getFeedIcon($id) {
+       static function getFeedTitle($id, $cat = false) {
+       static function getCategoryUnread($cat, $owner_uid = false) {
+       static function getCategoryChildrenUnread($cat, $owner_uid = false) {
2017-05-04 14:50:56 +03:00
Andrew Dolgov 7e5f8d9fb3 move the following to Article:
+       static function format_article_enclosures($id, $always_display_enclosures,
+       static function format_article($id, $mark_as_read = true, $zoom_mode = false, $owner_uid = false) {
+       static function get_article_tags($id, $owner_uid = 0, $tag_cache = false) {
+       static function format_tags_string($tags) {
+       static function format_article_labels($labels) {
+       static function format_article_note($id, $note, $allow_edit = true) {
+       static function get_article_enclosures($id) {
2017-05-04 14:38:45 +03:00
Andrew Dolgov 41bead9baa remove local file extensions and generalize some method names for cached media
file extensions may still be present in urls, but are ignored by the backend

MIGRATION (if you have any cached data worth keeping, not required):
in cache/images run "rename 's/\..*$//' *" i.e. strip file extensions
2017-03-23 14:55:40 +03:00
Andrew Dolgov 4daaf23491 allow user plugins to expose public methods out in a limited fashion 2017-02-10 16:04:28 +03:00
Andrew Dolgov 38b3998bbc af_zz_imgproxy: use inline disposition, misc updates 2017-02-10 12:37:21 +03:00
Andrew Dolgov 9c7ebaa08c cached_image: remove unnecessary basename() 2017-02-04 12:02:17 +03:00
Andrew Dolgov 0442cbb6c1 image cache: send files as content-disposition: attachment; add .png suffix to image urls 2017-02-04 11:32:24 +03:00