Andrew Dolgov
37f41a5246
forgotpass: use type strict comparison for reset token
2020-09-17 11:49:27 +03:00
Andrew Dolgov
1f79d614c4
fix OTP QR code not displayed because of CSRF token passed as a query
...
parameter
use type-strict comparison when validating CSRF token on the backend
2020-09-17 08:43:39 +03:00
Andrew Dolgov
9d3c794983
subscribe: allow pre-filling feed URL if passed via query string
2020-09-16 17:20:31 +03:00
Andrew Dolgov
154417d80b
public/logout: require valid CSRF token
2020-09-15 16:59:11 +03:00
Andrew Dolgov
8080c525fd
- backend: require CSRF token to be passed via POST
...
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
2020-09-15 16:12:53 +03:00
Andrew Dolgov
da98ba662e
public/subscribe: require valid CSRF token when validating the form
2020-09-14 20:21:22 +03:00
Andrew Dolgov
c3d14e1fa5
- fix multiple vulnerabilities in af_proxy_http
...
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
2020-09-14 19:46:52 +03:00
Rodney Stromlund
88ced02622
Silence php 7.2 error message generated in `session_set_cookie_params`.
2020-08-14 10:47:46 -05:00
Andrew Dolgov
dfa65e9374
move order_by to SQL override logic into a separate function
2020-08-13 11:52:32 +03:00
Andrew Dolgov
48be005774
instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp
2020-08-11 13:29:09 +03:00
Andrew Dolgov
1f2a721905
allow overriding built-in templates via templates.local
2020-03-13 14:40:35 +03:00
Andrew Dolgov
bdb1e475e7
external subscribe dialog: support dark theme
2020-02-27 13:40:32 +03:00
Andrew Dolgov
b2876f6c72
share anything dialog: support dark theme
2020-02-27 13:38:24 +03:00
Andrew Dolgov
4ab3854aed
don't generate default.css, replace with themes/light.css as a default root CSS file
2020-02-22 16:22:44 +03:00
Andrew Dolgov
aa56bcaf44
support night mode when using share by URL
2020-01-19 10:51:08 +03:00
Andrew Dolgov
f47998f569
generate_syndicated_feed: use local media in generated feeds if it is available
2020-01-13 17:02:14 +03:00
Andrew Dolgov
72d0fac80c
remove version.php and VERSION global constant, do version-related things in a slightly less ridiculous way
2019-12-18 14:27:40 +03:00
Andrew Dolgov
ef514bc4bd
add notifications for mail and password changes
...
update and shorten some other message templates
2019-10-09 09:04:51 +03:00
Rodney Stromlund
958c4dc124
Removed extra php end tag that was showing in the page title
2019-09-17 09:11:30 -05:00
Andrew Dolgov
3e4701116d
af_readability: add missing file
2019-08-16 15:29:24 +03:00
Andrew Dolgov
0e3b71c535
public/pluginhandler: log invalid requests
2019-08-15 17:17:25 +03:00
Andrew Dolgov
d4df57e1a4
Article::get_article_image() - also return stream URI if possible
2019-08-14 17:04:14 +03:00
Andrew Dolgov
68e2b05f65
* move get_article_image to Article; implement better og:image detection (similar to android app)
...
* pass article image to API clients in headlines row object
2019-08-14 16:55:38 +03:00
Andrew Dolgov
39f459eb04
public/cached_url: forbid sending files with extensions
2019-08-14 10:45:46 +03:00
Andrew Dolgov
3c075bfd21
DiskCache: more strict checking for input filenames, getUrl() is no longer static
2019-08-14 09:49:18 +03:00
Andrew Dolgov
fdb6066bf6
* HOOK_ENCLOSURE_ENTRY: pass article_id to handler
...
* DiskCache: multiple fixes; support isWritable() for cache entries, set content-disposition for send()
* public/cached_url: allow selecting files from sub-caches other than images
* plugins/Cache_Starred_Images: rework to use DiskCache, can be enabled per-user, properly handles article enclosures, etc
2019-08-13 16:40:21 +03:00
Andrew Dolgov
133c2b482b
move rewrite_cached_urls to DiskCache::rewriteUrls()
2019-08-13 12:46:57 +03:00
Andrew Dolgov
b1dd38f880
add DiskCache.getUrl() and use it in a bunch of places
2019-08-13 12:39:21 +03:00
Andrew Dolgov
ea30061cce
public: fix share() returning random unshared articles if uuid is not given
2019-07-05 16:02:51 +03:00
Andrew Dolgov
4fa9aee4e7
move several more global functions to more appropriate classes
2019-06-20 08:14:06 +03:00
Andrew Dolgov
6d746453c7
get_feeds_from_html: remove XML preamble hack
...
move several related helper functions to Feeds class
2019-06-20 07:51:48 +03:00
Andrew Dolgov
671f4cee65
domdocument: remove old meta charset unicode hacks, replace with shorter xml preamble utf8 hack (on loadhtml where it makes sense)
...
af_readability: better (?) charset hack for non-unicode pages
2019-03-21 21:08:02 +03:00
Andrew Dolgov
6ae0a3dd3e
share: further improve og:description excerpt logic, minor layout stuff
2019-03-19 20:41:38 +03:00
Andrew Dolgov
74e8661351
share: decode entities in metadata fields so that length limits would make more sense
2019-03-19 15:53:32 +03:00
Andrew Dolgov
19f162dbe3
css: insensitive -> text-muted
2019-03-08 10:11:57 +03:00
Andrew Dolgov
44858ca2dd
Merge branch 'master' of git.fakecake.org:tt-rss
2019-03-07 06:45:04 +03:00
Andrew Dolgov
e91223ec7d
update CLI schema updater with newer warnings
2019-03-07 06:44:59 +03:00
Andrew Dolgov
609662d48c
oops, fix typo
2019-03-06 22:48:10 +03:00
Andrew Dolgov
91cfd9c391
dbupdater: add mysql transaction warning
2019-03-06 22:46:31 +03:00
Andrew Dolgov
0881d0a00d
some dbupdater improvements; fix schema 136 syntax for mysql
2019-03-06 19:42:27 +03:00
Andrew Dolgov
38e01270d8
archived feeds: expire old entries (schema bump)
2019-03-06 19:06:05 +03:00
Andrew Dolgov
ef6d2b8a4e
update notifications to make them more visible
...
cleanup some minor stuff in pref-users
2019-03-05 20:09:06 +03:00
Andrew Dolgov
5b3a73e574
login: switch to absolute redirect urls
2019-03-04 20:38:39 +03:00
Andrew Dolgov
925065b1fe
Revert "login: only allow relative URLs in return="
...
This reverts commit c68ac04020
.
2019-03-04 07:02:58 +03:00
Andrew Dolgov
c68ac04020
login: only allow relative URLs in return=
2019-03-03 07:53:42 +03:00
Andrew Dolgov
cc57ed3775
public/subscribe: add basic dialog to enter feed urls
2019-03-03 06:18:19 +03:00
Andrew Dolgov
54c1b5c611
fill in some missing doctypes; use short doctype where it wasn't
2019-02-23 13:49:40 +03:00
Andrew Dolgov
d60038d48b
simplify some public.php prompts; prevent from submitting forgotpass form repeatedly if check succeeds
2019-02-21 12:50:15 +03:00
Andrew Dolgov
6701497879
public.php: markup cleanup
2019-02-20 13:12:55 +03:00
Andrew Dolgov
be322d6fc8
cleanup sharepopup dialog
2019-02-20 13:05:12 +03:00
Andrew Dolgov
d9e20f8b16
update external subscribe dialog
2019-02-20 12:32:52 +03:00
Andrew Dolgov
5ce55faa3b
installer: reduce margins; misc fixes
2019-02-19 21:23:03 +03:00
Andrew Dolgov
420e71280a
dbupdater: dojoify, add some missing translations
2019-02-19 20:55:02 +03:00
Andrew Dolgov
f7a4a45bde
pwd reset: use dijit controls
2019-02-19 20:43:45 +03:00
Andrew Dolgov
59df261fb8
forgotpass: slightly better anti-bot protection
2019-02-19 20:25:48 +03:00
Andrew Dolgov
8cd7f31bde
utility css updates
2019-02-19 19:46:09 +03:00
Andrew Dolgov
c11f32ac38
center and rework some utility screens
2019-02-19 14:59:29 +03:00
Andrew Dolgov
b1f9ebe46e
get_article_image: ignore data: schema images, other minor fixes
2019-01-10 08:42:31 +03:00
Andrew Dolgov
e70d42237a
edit options after subscribe: use correct method name
2018-12-25 16:22:12 +03:00
Andrew Dolgov
d0d05e4079
zoom mode: hide .attachments
2018-12-10 07:20:13 +03:00
Andrew Dolgov
6a6af964df
feed template, ARTICLE_OG_IMAGE: set as optional
2018-12-09 17:18:29 +03:00
Andrew Dolgov
851f62dc4a
syndicated feeds:
...
1. properly reset enclosure template variables if there's no enclosures
2. add ARTICLE_OG_IMAGE which sets flavor image for article using common code with article render etc
2018-12-09 17:07:17 +03:00
Andrew Dolgov
b2c079893b
move Article::format_article() to Handler_Public
2018-12-09 11:13:02 +03:00
Andrew Dolgov
966fe6d612
#sharepopup: update css
2018-12-09 10:56:39 +03:00
Andrew Dolgov
19e24b4fe2
force cast profile id to integer when assigning to session variable
2018-12-06 07:08:54 +03:00
Andrew Dolgov
29c890b495
login form: use dojo, remove profile hacks
2018-12-04 23:17:35 +03:00
Andrew Dolgov
79c5035920
reset password: use updated mailer parameters properly
2018-11-26 12:44:36 +03:00
Andrew Dolgov
57932e1837
remove PHPMailer and related directives from config.php-dist; add pluggable Mailer class
2018-11-22 14:45:14 +03:00
Andrew Dolgov
253dbd4856
generate_syndicated_feed: add support for virtual feeds provided by plugins
2018-11-07 14:21:39 +03:00
Andrew Dolgov
5f66f872b6
fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks
2018-10-16 14:07:42 +03:00
Andrew Dolgov
f8fc1ac543
login: check for stale session in login handler, instead of authenticate_user()
2018-10-16 11:39:12 +03:00
Andrew Dolgov
f730d7bb0a
another attempt to enforce session ID regeneration on login
2018-10-16 09:11:32 +03:00
Andrew Dolgov
65e98f4086
force regenerate session id on successful login, remove previous blank SID check
2018-10-15 15:47:50 +03:00
Andrew Dolgov
88adf3da1b
send_local_file: add application/octet-stream hack
...
cached_url: return original requested filename to save as
2018-08-16 12:16:51 +03:00
Andrew Dolgov
e6532439d6
force strip_tags() on all user input unless explicitly allowed
2017-12-03 23:35:38 +03:00
Andrew Dolgov
df5d2a0665
pluginhost: do not connect via legacy DB api until requested
...
log all initiated legacy database connections
2017-12-03 14:49:18 +03:00
Andrew Dolgov
b51d44a5e6
further stylesheet simplification related fixes (2)
2017-12-03 13:26:26 +03:00
Andrew Dolgov
09bc54c690
further stylesheet simplification related fixes
2017-12-03 13:25:34 +03:00
Andrew Dolgov
5e68e24679
css/less updates
2017-12-03 12:50:07 +03:00
Andrew Dolgov
187abfe732
main classes: remove sql_bool_to_bool() kludge
2017-12-03 09:35:59 +03:00
Andrew Dolgov
1d92297a96
dbupdater: use PDO
2017-12-02 01:28:30 +03:00
Andrew Dolgov
cb13089af1
public: use PDO headlines result (2)
2017-12-01 20:57:55 +03:00
Andrew Dolgov
dc393a580b
public: use PDO headlines result
2017-12-01 20:57:05 +03:00
Andrew Dolgov
1271407eea
public: partial conversion to PDO, misc fixes
2017-12-01 18:57:34 +03:00
Andrew Dolgov
9dd336a2c3
generate base css files using lessc
2017-11-29 18:55:12 +03:00
Andrew Dolgov
2352c320c2
fix possible sql injection in public/forgotpass
2017-11-20 08:48:18 +03:00
Gilles Grandou
81d96c0dee
makes 'order by title' to sort by title and by ascending date
...
* this allows to chronologically browse all articles with the
same title.
2017-10-09 22:50:03 +02:00
Andrew Dolgov
8b73bd28d8
remove apache-specific x-sendfile stuff
...
implement a hook (HOOK_SEND_LOCAL_FILE) which plugins may use to send files
via httpd-specific implementation to increase performance typically on larger files
2017-10-08 17:14:56 +03:00
Andrew Dolgov
b2d42e960b
replace some usages of SELF_URL_PATH with get_self_url_prefix()
2017-07-06 23:01:44 +03:00
Andrew Dolgov
5b6ea1ef91
remove pubsubhubbub: dead
2017-05-16 10:41:20 +03:00
Andrew Dolgov
2ed0d6c433
move counter cache to a separate class
...
fix references to get_article_tags
2017-05-04 15:22:57 +03:00
Andrew Dolgov
aeb1abedb2
move a bunch of functions into Feeds/Article namespaces
...
+ static function catchupArticlesById($ids, $cmode, $owner_uid = false) {
+ static function getLastArticleId() {
+ static function queryFeedHeadlines($params) {
+ static function getParentCategories($cat, $owner_uid) {
+ static function getChildCategories($cat, $owner_uid) {
move the rest of functions2.php back to functions.php as it is of more manageable size, remove the former
2017-05-04 15:13:02 +03:00
Andrew Dolgov
a230bf88a9
move to Article:
...
+ static function purge_orphans($do_output = false) {
move to Feeds
+ static function getGlobalUnread($user_id = false) {
+ static function getCategoryTitle($cat_id) {
+ static function getLabelUnread($label_id, $owner_uid = false) {
2017-05-04 15:00:21 +03:00
Andrew Dolgov
86a8351ca2
move the following to Feeds:
...
+ static function catchup_feed($feed, $cat_view, $owner_uid = false, $mode = 'all', $search = false) {
+ static function getFeedArticles($feed, $is_cat = false, $unread_only = false,
+ static function subscribe_to_feed($url, $cat_id = 0,
+ static function getFeedIcon($id) {
+ static function getFeedTitle($id, $cat = false) {
+ static function getCategoryUnread($cat, $owner_uid = false) {
+ static function getCategoryChildrenUnread($cat, $owner_uid = false) {
2017-05-04 14:50:56 +03:00
Andrew Dolgov
7e5f8d9fb3
move the following to Article:
...
+ static function format_article_enclosures($id, $always_display_enclosures,
+ static function format_article($id, $mark_as_read = true, $zoom_mode = false, $owner_uid = false) {
+ static function get_article_tags($id, $owner_uid = 0, $tag_cache = false) {
+ static function format_tags_string($tags) {
+ static function format_article_labels($labels) {
+ static function format_article_note($id, $note, $allow_edit = true) {
+ static function get_article_enclosures($id) {
2017-05-04 14:38:45 +03:00
Andrew Dolgov
41bead9baa
remove local file extensions and generalize some method names for cached media
...
file extensions may still be present in urls, but are ignored by the backend
MIGRATION (if you have any cached data worth keeping, not required):
in cache/images run "rename 's/\..*$//' *" i.e. strip file extensions
2017-03-23 14:55:40 +03:00
Andrew Dolgov
4daaf23491
allow user plugins to expose public methods out in a limited fashion
2017-02-10 16:04:28 +03:00
Andrew Dolgov
38b3998bbc
af_zz_imgproxy: use inline disposition, misc updates
2017-02-10 12:37:21 +03:00
Andrew Dolgov
9c7ebaa08c
cached_image: remove unnecessary basename()
2017-02-04 12:02:17 +03:00
Andrew Dolgov
0442cbb6c1
image cache: send files as content-disposition: attachment; add .png suffix to image urls
2017-02-04 11:32:24 +03:00