Andrew Dolgov
1f79d614c4
fix OTP QR code not displayed because of CSRF token passed as a query
...
parameter
use type-strict comparison when validating CSRF token on the backend
2020-09-17 08:43:39 +03:00
Andrew Dolgov
6a4b6cf603
amend previous to 127/8 subnet
2020-09-17 07:37:48 +03:00
Andrew Dolgov
213d6330b1
fetch_file_contents: resolve requested hosts and check for possible
...
loopback address
2020-09-17 07:36:47 +03:00
Andrew Dolgov
88c4dc405e
build_url: also put query parameters and fragment in resulting URL
...
rewrite_relative_url: simplify handling of relative URLs
2020-09-16 21:41:05 +03:00
Andrew Dolgov
9d3c794983
subscribe: allow pre-filling feed URL if passed via query string
2020-09-16 17:20:31 +03:00
Andrew Dolgov
da5af2fae0
cached_url: block SVG images because of potential javascript inside
2020-09-16 16:25:20 +03:00
Andrew Dolgov
33fdde249e
pass CSRF token to opml import and feed icon replace dialogs
2020-09-16 06:43:55 +03:00
Andrew Dolgov
f693ebab21
fix default password nag dialog, load via xhr
2020-09-16 06:38:41 +03:00
Andrew Dolgov
77faa5d523
editFeed: only try to reload feed tree in preferences if its actually there
2020-09-15 18:55:34 +03:00
Andrew Dolgov
3f9390c45f
comments link: load in new tab
2020-09-15 18:49:03 +03:00
Andrew Dolgov
42b5564d1e
editarticletags: load dialog via XHR
2020-09-15 18:47:19 +03:00
Andrew Dolgov
0706a328a4
handler: default base csrf_ignore() to false
2020-09-15 18:16:33 +03:00
Andrew Dolgov
0a142912d3
backend handler: require CSRF, remove obsolete code
2020-09-15 18:08:08 +03:00
Andrew Dolgov
154417d80b
public/logout: require valid CSRF token
2020-09-15 16:59:11 +03:00
Andrew Dolgov
cbcb10a272
Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection
2020-09-15 16:28:09 +03:00
Andrew Dolgov
8080c525fd
- backend: require CSRF token to be passed via POST
...
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
2020-09-15 16:12:53 +03:00
Andrew Dolgov
aeaafefa07
don't pass csrf token as a GET parameter to Article
2020-09-15 16:03:09 +03:00
Andrew Dolgov
e670ac2ee5
require CSRF token for Article/redirect
2020-09-15 15:35:50 +03:00
Andrew Dolgov
7e50c6c4b5
- enable CSRF support earlier
...
- remove rpc/sanityCheck from CSRF-excluded calls
2020-09-15 15:32:17 +03:00
Andrew Dolgov
91e1542a82
af_proxy_http: require separate token to access imgproxy
2020-09-15 10:59:57 +03:00
Andrew Dolgov
1621abcffc
rewrite_relative_url: validate resulting absolutized URLs
2020-09-15 10:41:57 +03:00
Andrew Dolgov
aa89ea7769
validate_url: only allow safe ports (80, 443), disallow access to loopback
2020-09-15 10:39:09 +03:00
Andrew Dolgov
6c02fea641
validate_url: add clean()
2020-09-15 08:45:15 +03:00
Andrew Dolgov
4abc7d7898
rename base64_img() to image_to_base64()
2020-09-15 08:05:01 +03:00
Andrew Dolgov
79f102c25d
af_proxy_http: never print received data directly, always redirect to cached_url
...
cache/getUrl: basename() passed filename just in case
2020-09-15 08:02:28 +03:00
Andrew Dolgov
1ee458b5c1
cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE hooks
2020-09-15 07:54:46 +03:00
Andrew Dolgov
0758397dd8
af_redditimgur: don't add embedded blank gif image for rewritten videos
2020-09-15 06:55:22 +03:00
Andrew Dolgov
4a074111b5
user preferences: forbid < and > characters when changing passwords (were silently stripped on save because of clean())
2020-09-14 20:53:00 +03:00
Andrew Dolgov
da98ba662e
public/subscribe: require valid CSRF token when validating the form
2020-09-14 20:21:22 +03:00
Andrew Dolgov
b4cb67e77f
remove csrf token from rpc method sanityCheck
2020-09-14 20:00:01 +03:00
Andrew Dolgov
c3d14e1fa5
- fix multiple vulnerabilities in af_proxy_http
...
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
2020-09-14 19:46:52 +03:00
Andrew Dolgov
5b17fdc362
Merge branch 'weblate-integration'
2020-09-11 09:35:15 +03:00
Andrew Dolgov
a922b3cc6d
order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins to override built-in sorting
2020-09-11 07:48:22 +03:00
Andrew Dolgov
67f02e2aa7
properly return counters for labels with zero assigned articles
...
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766
2020-08-29 08:41:52 +03:00
fox
5497a137de
Merge branch 'master' of rodneys_mission/tt-rss into master
2020-08-14 19:21:31 +00:00
Rodney Stromlund
88ced02622
Silence php 7.2 error message generated in `session_set_cookie_params`.
2020-08-14 10:47:46 -05:00
Andrew Dolgov
ddf9227dc4
pluginhost: allow overriding default sort modes via HOOK_HEADLINES_CUSTOM_SORT_MAP etc
2020-08-13 12:23:27 +03:00
Andrew Dolgov
dfa65e9374
move order_by to SQL override logic into a separate function
2020-08-13 11:52:32 +03:00
Andrew Dolgov
48be005774
instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp
2020-08-11 13:29:09 +03:00
Andrew Dolgov
05a47e5cf4
OPML: export/import per-feed purge interval
2020-08-10 11:57:39 +03:00
fox
2b50aaed61
Merge branch 'master' of e1e0/tt-rss into master
2020-08-01 15:44:04 +00:00
Paco Esteban
c4ee0e25a1
more int/string type mismatches on getCategories
2020-08-01 16:30:10 +02:00
fox
86ba8a96c4
Merge branch 'master' of e1e0/tt-rss into master
2020-08-01 05:52:58 +00:00
Marek Pavelka
f99de985c1
Translated using Weblate (Czech)
...
Currently translated at 100.0% (727 of 727 strings)
Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/cs/
2020-07-31 16:23:42 +00:00
Paco Esteban
3da618e0ea
make sure all ints are casted (to int) on getCategories
2020-07-31 16:15:16 +02:00
Jan Espen Pedersen
68ccc8f636
Translated using Weblate (Norwegian Bokmål)
...
Currently translated at 44.7% (325 of 727 strings)
Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
2020-07-19 16:40:06 +00:00
fox
376fe6271d
Merge branch 'master' of rodneys_mission/tt-rss-fix-sanity-urls into master
2020-07-13 14:41:05 +00:00
Rodney Stromlund
376dce02bb
Update wiki and forums links in error message.
2020-07-13 09:06:59 -05:00
fox
3b033a17f4
Merge branch 'feed-tree-localstorage' of nanaya/tt-rss into master
2020-07-09 18:02:02 +00:00
nanaya
8d8affdc45
Store FeedTree data in localStorage
...
Patching internal functions of dijit.Tree as they don't provide option on where to store the data.
It stores to cookies by default but the data can get quite big for hundreds of feeds and exceeds cookies size limit.
Not to mention it'll cause the cookie to be sent during any request with nothing handling it server side and just wasting bandwidth.
This patch will also migrate current data in cookie to local storage accordingly.
2020-07-09 01:52:46 +09:00