Commit Graph

840 Commits

Author SHA1 Message Date
Andrew Dolgov 91285e3868 router: add additional logging for refused requests; reject requests for methods starting with _ 2021-02-15 16:34:44 +03:00
Andrew Dolgov 6af83e3881 drop ENABLE_GZIP_OUTPUT; system prefs: load php info only if needed 2021-02-12 21:43:38 +03:00
Andrew Dolgov e6624cf631 fix a few more session-related warnings 2021-02-12 21:24:49 +03:00
Andrew Dolgov 403dca154c initial WIP for php8; bump php version requirement to 7.0 2021-02-05 23:41:32 +03:00
Andrew Dolgov 8aa1b0fed6 purge_intervals global: set '1 week old' to mean 7 days instead of 5 (???) 2020-12-15 08:49:02 +03:00
Andrew Dolgov 490df818aa router: only allow functions without required parameters as handler methods 2020-09-22 09:34:39 +03:00
Andrew Dolgov 74568df4ff remove a lot of stuff from global context (functions.php), add a few helper classes instead 2020-09-22 09:04:33 +03:00
Andrew Dolgov 154417d80b public/logout: require valid CSRF token 2020-09-15 16:59:11 +03:00
Andrew Dolgov 8080c525fd - backend: require CSRF token to be passed via POST
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
2020-09-15 16:12:53 +03:00
Andrew Dolgov 63ee91c82e backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation.
this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.
2019-12-20 14:39:38 +03:00
Andrew Dolgov 0697eca0e1 remove testing for get_magic_quotes_gpc: deprecated in php7.4, apparently not working since php 5.4 2019-12-06 07:34:50 +03:00
Andrew Dolgov c43f3e469e update intervals: use less broken english for a change 2015-07-15 16:39:16 +03:00
Andrew Dolgov 27f7b59353 add a wrapper for standard error codes returned by backend, also add explanation to the error object if possible 2015-03-30 13:02:24 +03:00
Andrew Dolgov 1f29443530 fix missing DB object when instantiated to import opml 2013-04-18 23:19:14 +04:00
Andrew Dolgov 1ffe3391f9 make pluginhost a singleton 2013-04-18 12:27:34 +04:00
Andrew Dolgov eefaa2df38 remove db_connect, db_close; CLI fixes 2013-04-17 17:00:35 +04:00
Andrew Dolgov 6322ac79a0 remove $link 2013-04-17 16:48:41 +04:00
Andrew Dolgov 404e2e3603 more work on singleton-based DB 2013-04-17 15:36:48 +04:00
Andrew Dolgov ba68b6815a db updates, remove init_connection() 2013-04-17 14:23:35 +04:00
Andrew Dolgov ccfa90803b backend: add session validation check 2013-04-11 21:39:54 +04:00
Andrew Dolgov 2e35a7070b generated feeds: support if-modified-since 2013-04-01 21:08:32 +04:00
Andrew Dolgov 1ebf3b979e replace getmicrotime() wrapper with microtime(true) (2) 2013-02-27 22:20:14 +04:00
Andrew Dolgov 7d1a91d56c use text/json content-type in a few more places 2013-01-12 16:02:37 +04:00
Andrew Dolgov 23419d117b modify includes to init session before translations are applied 2013-01-05 01:28:07 +04:00
Andrew Dolgov de612e7a38 experimental support for per-user plugins (bump schema) 2012-12-25 00:45:10 +04:00
Andrew Dolgov 19b3992b78 remove magpie, fix article filter plugins 2012-12-24 13:45:34 +04:00
Andrew Dolgov 8dcb2b4762 implement plugin routing masks, add example plugin 2012-12-23 23:05:51 +04:00
Andrew Dolgov 19c7350770 experimental new plugin system 2012-12-23 14:52:18 +04:00
Andrew Dolgov 88e8fb3a71 modify include path order (closes #514) 2012-12-09 13:41:22 +04:00
Andrew Dolgov 675f198a7c rework login form 2012-09-10 20:15:45 +04:00
Andrew Dolgov 97acbaf190 login system fixes
remove old-style session checking from backend.php
move outside subscription endpoint to public.php, change subscription
bookmarklet
2012-09-10 19:01:06 +04:00
Andrew Dolgov 304aadb907 remove twitter-specific code 2012-09-07 10:23:46 +04:00
Andrew Dolgov 9aceda3afc remove hook-based plugins 2012-08-21 14:37:43 +04:00
Andrew Dolgov 369dbc19d6 rework class system to use subdirectories
add placeholder plugin/hook system
2012-08-17 14:22:33 +04:00
Andrew Dolgov 143d1b31a8 routing: check if created handler is a subclass of Handler 2012-08-16 15:43:52 +04:00
Andrew Dolgov 0d421af86f split authentication to separate modules 2012-08-16 15:30:49 +04:00
Andrew Dolgov 545ca06789 do not perform sanity checks on each backend request 2012-07-10 15:24:04 +04:00
Andrew Dolgov 6a79e8afeb only enable ob_gzhandler if it exists 2012-03-20 14:45:43 +04:00
Andrew Dolgov 66b042fcfe do not generate warning on csrf_token being unassigned 2012-01-08 23:51:47 +04:00
Andrew Dolgov 7a5d9b95c4 disable csrf logging 2011-12-26 12:04:17 +04:00
Andrew Dolgov 8484ce2258 experimental CSRF protection 2011-12-26 12:02:52 +04:00
Andrew Dolgov f03a795de7 include path fix for lighttpd 2011-12-15 18:19:38 +04:00
Andrew Dolgov de8260cb10 move API to classes/ 2011-12-13 15:40:42 +04:00
Andrew Dolgov 5f0a3741d0 add Public_Handler
misc code cleanup
2011-12-13 14:49:11 +04:00
Andrew Dolgov 8e17d6636e add Pref_Filters 2011-12-13 14:09:34 +04:00
Andrew Dolgov 66665fba79 add Pref_Users class 2011-12-13 14:02:37 +04:00
Andrew Dolgov cbe50c800d add pref_labels class 2011-12-13 13:34:43 +04:00
Andrew Dolgov 678dda79e3 compat fix for old-style backend methods 2011-12-13 12:48:10 +04:00
Andrew Dolgov 4f09f594c2 move help to backend class 2011-12-13 11:02:43 +04:00
Andrew Dolgov 611efae712 add catchall backend class 2011-12-13 10:58:30 +04:00