| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| | |
Security fixes
See merge request hubzilla/core!2017
|
| |
| |
| |
| |
| |
| |
| |
| | |
Don't follow urls to external sites when submitting forms from the
settings modules. This mitigates an Open Redirect vulnerability where an
attacker could trick a user to go to an attacker controlled destination.
Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Escape URLs provided by the rpath query param in settings modules. This
prevents a possible Cross-Site scripting vulnerability, where an
attacker could inject web scripts and html into the settings form via
the rpath query parameter, and have a user execute the script by
tricking them to clicking a link.
Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The escaping makes the URL safe for display and for use in HTML element
attributes (such as href="..." etc), but does not guarantee that the URL
itself is valid after conversion. This should be good enough for
mitigating XSS issues caused by injecting html or javascript into a URL.
Also probably good enough for _most_ normal URLs, but there may be
devils hidden in the details somewhere.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Limit valid chars in schema names, and discard attempts at loading
schemas with invalid names.
This prevents a local file inclusion vulnerability where an
unauthenticated attacker can include arbitrary php files readable by the
server process and potentially obtain remote code execution.
Valid schema names may consist of ascii letters, numbers, hyphens and
underscores. Should be good enough for most cases, I think.
Fixes https://framagit.org/hubzilla/core/-/issues/1665
|
|\ \ |
|
| |\ \
| | |/
| |/|
| | |
| | | |
redbasic/dark: Use bootstrap-nightfall for dark schema.
See merge request hubzilla/core!2016
|
| | |
| | |
| | |
| | | |
Makes buttons a bit less bright so they don't stick out quite as much.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is a color only stylesheet, modifying the original Bootstrap colors
to a dark variant. Insert this as base before the redbasic dark schema
modifications, and any custom modifications to have a nicer base for the
dark schema.
|
|/ / |
|
|\ \
| | |
| | |
| | |
| | | |
Use correct base url for stylesheets and js.
See merge request hubzilla/core!2015
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When trying to fetch an image file from the Cloud module, the default
nginx config will add a trailing & if there's no args specified.
Example:
https://example.com/cloud/username/some_image.png
This will be rewritten to:
https://example.com/index.php?q=/cloud/username/some_image.png&
This in turn will cause the Cloud module to try to redirect back to the
original because it does not match the query_string (in which the
ampersand has been converted to a question mark). And this will repeat
until the browser get's tired of it.
|
| | |
|
| |
| |
| |
| |
| |
| | |
Use z_root instead of script_path when formatting stylesheet and
javascript links for the head section. script_path does not preserve
information about the port if the site uses a nonstandard port.
|
| |
| |
| |
| | |
sure it will be a toplevel post
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|/ |
|
|
|
|
| |
hamburger menu on small screens
|
| |
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Typo in Setup.php prevents users from using Postgres
See merge request hubzilla/core!2014
(cherry picked from commit 0e2e9321025f87fe9587f3d183adaea6185e4e20)
d384f55d Typo in Setup.php prevents users from using Postgres
|
| | |
|
|/ |
|
| |
|
| |
|
|
|
|
| |
author issue if wall2wall comment arrives and author is not yet known
|
| |
|
| |
|
| |
|
|
|
|
| |
anymore
|
| |
|
| |
|
|
|
|
| |
description and requirements (this is work in progress)
|
| |
|
| |
|