Commit Graph

18 Commits

Author SHA1 Message Date
Andrew Dolgov 660a1bbe01 * switch to xhr.post() almost everywhere
* call App.handlerpcjson() automatically on json request (if possible)
 * show net/log indicators in prefs
2021-02-19 13:44:56 +03:00
Andrew Dolgov ee0b66b6bd af_proxy_http: markup cleanup 2021-02-18 12:13:13 +03:00
Andrew Dolgov e4609c18ef * add (disabled) shortcut syntax for plugin methods
* add controls shortcut for pluginhandler tags
 * add similar shortcut for frontend
 * allow plugins to selectively exclude their methods from CSRF checking
2021-02-17 21:44:21 +03:00
Andrew Dolgov 35b6d63289 af_proxy_http: don't try to proxy back to ourselves 2021-02-17 16:27:52 +03:00
Andrew Dolgov f58c49beaa replace a few more controls to new style 2021-02-16 18:50:18 +03:00
Andrew Dolgov 1f43d7916c replace print_hidden with hidden_tag 2021-02-16 14:32:06 +03:00
Andrew Dolgov 166f2d4666 diskcache: unify naming 2021-02-15 16:11:30 +03:00
Andrew Dolgov 7874f6ac58 remove PHPMD.UnusedFormalParameter 2021-02-08 19:42:10 +03:00
Andrew Dolgov 403dca154c initial WIP for php8; bump php version requirement to 7.0 2021-02-05 23:41:32 +03:00
JustAMacUser 65b3926ae5 Ensure proxy_all setting is saved in database. 2020-10-11 01:31:30 -04:00
Andrew Dolgov 74568df4ff remove a lot of stuff from global context (functions.php), add a few helper classes instead 2020-09-22 09:04:33 +03:00
Andrew Dolgov a817d3794d * use get_random_bytes() for CSRF token
* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
2020-09-17 08:59:18 +03:00
Andrew Dolgov 91e1542a82 af_proxy_http: require separate token to access imgproxy 2020-09-15 10:59:57 +03:00
Andrew Dolgov 79f102c25d af_proxy_http: never print received data directly, always redirect to cached_url
cache/getUrl: basename() passed filename just in case
2020-09-15 08:02:28 +03:00
Andrew Dolgov c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
2020-09-14 19:46:52 +03:00
Andrew Dolgov 10c63ed582 pluginhost: add helper methods to get private/public pluginmethod endpoint URLs 2019-08-15 20:23:45 +03:00
Andrew Dolgov bdf29856fb fix several leftover mentions of old (renamed) class name, duh 2019-08-15 17:12:59 +03:00
Andrew Dolgov de5669f723 af_zz_imgproxy: rename to af_proxy_http, use priority hook loader 2019-08-15 16:27:53 +03:00