Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | do not stringify integer value | Mario | 2022-05-11 | 1 | -1/+1 |
| | |||||
* | update queries in mod search - fixes #1677 | Mario | 2022-05-11 | 2 | -27/+24 |
| | |||||
* | deal with pleroma reactions | Mario | 2022-05-10 | 1 | -0/+8 |
| | |||||
* | use rev instead of _updated and the unix timestamp is less likely to cause ↵ | Mario | 2022-05-09 | 1 | -1/+1 |
| | | | | issues in the future | ||||
* | use addr for webfinger and name for the real name in the userinfo array | Mario | 2022-05-09 | 1 | -1/+2 |
| | |||||
* | add the update date to the icon url. some platforms will not update if the ↵ | Mario | 2022-05-07 | 1 | -1/+1 |
| | | | | icon url remains static | ||||
* | cleanup channel apps | Mario | 2022-05-07 | 1 | -24/+0 |
| | |||||
* | more cleanup | Mario | 2022-05-06 | 3 | -13/+6 |
| | |||||
* | some cleanup after moving articles and cards to addons | Mario | 2022-05-06 | 3 | -85/+3 |
| | |||||
* | fix core issue #1676 and a liked/disliked/commented confusion | Mario | 2022-05-06 | 2 | -9/+40 |
| | |||||
* | move wiki to addons | Mario | 2022-05-06 | 8 | -2112/+0 |
| | |||||
* | move articles to addon - also remove the pdl | Mario | 2022-05-04 | 1 | -14/+0 |
| | |||||
* | move articles to addon | Mario | 2022-05-04 | 2 | -370/+0 |
| | |||||
* | move cards to addon | Mario | 2022-05-04 | 7 | -383/+11 |
| | |||||
* | changelog and version | Mario Vavti | 2022-04-26 | 2 | -1/+5 |
| | |||||
* | hubloc in AS has been moved from data to meta a while ago | Mario Vavti | 2022-04-26 | 1 | -2/+2 |
| | |||||
* | version bump | Mario Vavti | 2022-04-25 | 1 | -1/+1 |
| | |||||
* | more changelog | Mario Vavti | 2022-04-25 | 1 | -0/+1 |
| | |||||
* | changelog | Mario Vavti | 2022-04-25 | 1 | -0/+9 |
| | |||||
* | whitespace | Mario Vavti | 2022-04-25 | 1 | -1/+1 |
| | |||||
* | if we have not been provided a profile id set the profile id to the default ↵ | Mario Vavti | 2022-04-25 | 1 | -0/+4 |
| | | | | profile - fixes #1671 | ||||
* | Merge branch 'dev' of https://framagit.org/hubzilla/core into dev | Mario Vavti | 2022-04-23 | 1 | -3/+8 |
|\ | |||||
| * | check if addons have been removed from the filesystem and also remove them ↵ | Mario | 2022-04-22 | 1 | -3/+8 |
| | | | | | | | | from the db if that is the case | ||||
* | | fix regression with incoming poll answers from activitypub | Mario Vavti | 2022-04-23 | 1 | -1/+1 |
|/ | |||||
* | move AP addressing to pubcrawl | Mario Vavti | 2022-04-07 | 1 | -122/+14 |
| | | | (cherry picked from commit 1390e1db399c06cb76e191437eb5be24dd95a5c7) | ||||
* | fixes in regard to hub re-installs: dismiss deleted hublocs, make sure we ↵ | Mario | 2022-04-01 | 3 | -11/+11 |
| | | | | use the latest hubloc entry for addressing, in Queue::deliver() prefer primaries since their info is probably more accurate | ||||
* | fix PHP error | Mario | 2022-03-31 | 1 | -3/+6 |
| | |||||
* | update changelog | Mario Vavti | 2022-03-29 | 1 | -1/+1 |
| | |||||
* | Merge branch 'fix-changelog' into 'dev' | Mario | 2022-03-27 | 1 | -2/+3 |
|\ | | | | | | | | | Update changelog with missing fix and cve See merge request hubzilla/core!2018 | ||||
| * | Update changelog with missing fix and cve | Harald Eilertsen | 2022-03-25 | 1 | -2/+3 |
|/ | |||||
* | changelog | Mario | 2022-03-25 | 1 | -0/+38 |
| | |||||
* | bump dev version | Mario | 2022-03-23 | 1 | -1/+1 |
| | |||||
* | strings | Mario | 2022-03-23 | 2 | -860/+933 |
| | |||||
* | make sure to set comments_closed to the created date if nocomment is set | Mario Vavti | 2022-03-23 | 1 | -1/+1 |
| | |||||
* | streamline comment policy with downstream | Mario | 2022-03-23 | 2 | -33/+5 |
| | |||||
* | Merge branch 'security-fixes-lfi-xss-open-redirect' into 'dev' | Mario | 2022-03-23 | 15 | -50/+122 |
|\ | | | | | | | | | Security fixes See merge request hubzilla/core!2017 | ||||
| * | CVE-2022-27256: Open redirect via rpath query param. | Harald Eilertsen | 2022-03-20 | 10 | -27/+27 |
| | | | | | | | | | | | | | | | | Don't follow urls to external sites when submitting forms from the settings modules. This mitigates an Open Redirect vulnerability where an attacker could trick a user to go to an attacker controlled destination. Fixes part of https://framagit.org/hubzilla/core/-/issues/1666 | ||||
| * | Add function is_local_url() to check if url is local. | Harald Eilertsen | 2022-03-20 | 2 | -0/+41 |
| | | |||||
| * | CVE-2022-27258: XSS via rpath query param. | Harald Eilertsen | 2022-03-20 | 10 | -20/+20 |
| | | | | | | | | | | | | | | | | | | | | Escape URLs provided by the rpath query param in settings modules. This prevents a possible Cross-Site scripting vulnerability, where an attacker could inject web scripts and html into the settings form via the rpath query parameter, and have a user execute the script by tricking them to clicking a link. Fixes part of https://framagit.org/hubzilla/core/-/issues/1666 | ||||
| * | Add helper to escape URLs. | Harald Eilertsen | 2022-03-20 | 2 | -0/+32 |
| | | | | | | | | | | | | | | | | | | The escaping makes the URL safe for display and for use in HTML element attributes (such as href="..." etc), but does not guarantee that the URL itself is valid after conversion. This should be good enough for mitigating XSS issues caused by injecting html or javascript into a URL. Also probably good enough for _most_ normal URLs, but there may be devils hidden in the details somewhere. | ||||
| * | CVE-2022-27257: LFI in Redbasic theme. | Harald Eilertsen | 2022-03-20 | 1 | -3/+2 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Limit valid chars in schema names, and discard attempts at loading schemas with invalid names. This prevents a local file inclusion vulnerability where an unauthenticated attacker can include arbitrary php files readable by the server process and potentially obtain remote code execution. Valid schema names may consist of ascii letters, numbers, hyphens and underscores. Should be good enough for most cases, I think. Fixes https://framagit.org/hubzilla/core/-/issues/1665 | ||||
* | | Merge branch 'dev' of https://framagit.org/hubzilla/core into dev | Mario | 2022-03-20 | 3 | -5/+1911 |
|\ \ | |||||
| * \ | Merge branch 'volse-redbasic-dark' into 'dev' | Mario | 2022-03-20 | 3 | -5/+1911 |
| |\ \ | | |/ | |/| | | | | | | | redbasic/dark: Use bootstrap-nightfall for dark schema. See merge request hubzilla/core!2016 | ||||
| | * | redbasic/dark: Tune button colours a bit. | Harald Eilertsen | 2022-03-13 | 1 | -5/+5 |
| | | | | | | | | | | | | Makes buttons a bit less bright so they don't stick out quite as much. | ||||
| | * | redbasic/dark: Use schema colour for dropdown item | Harald Eilertsen | 2022-03-13 | 1 | -0/+4 |
| | | | |||||
| | * | redbasic/dark: Use bootstrap-nightfall for dark schema. | Harald Eilertsen | 2022-03-13 | 2 | -0/+1902 |
| | | | | | | | | | | | | | | | | | | | | | This is a color only stylesheet, modifying the original Bootstrap colors to a dark variant. Insert this as base before the redbasic dark schema modifications, and any custom modifications to have a nicer base for the dark schema. | ||||
* | | | add the signing algo to zotinfo, and store it in import_xchan() if present | Mario | 2022-03-20 | 2 | -0/+9 |
|/ / | |||||
* | | Merge branch 'volse-fix-stylesheet-root-path' into 'dev' | Mario | 2022-03-17 | 2 | -42/+7 |
|\ \ | | | | | | | | | | | | | Use correct base url for stylesheets and js. See merge request hubzilla/core!2015 | ||||
| * | | Trim trailing & from query_string. | Harald Eilertsen | 2022-03-13 | 1 | -0/+5 |
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When trying to fetch an image file from the Cloud module, the default nginx config will add a trailing & if there's no args specified. Example: https://example.com/cloud/username/some_image.png This will be rewritten to: https://example.com/index.php?q=/cloud/username/some_image.png& This in turn will cause the Cloud module to try to redirect back to the original because it does not match the query_string (in which the ampersand has been converted to a question mark). And this will repeat until the browser get's tired of it. | ||||
| * | Remove now unused function script_path. | Harald Eilertsen | 2022-03-03 | 1 | -38/+0 |
| | |