aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* add a hidden config for the hs2019 http sig algoMario2022-05-191-2/+5
|
* rendering fixesMario2022-05-194-17/+22
|
* implement starring of pubstream itemsMario2022-05-182-12/+27
|
* make sure we use source.content when rendering events to correctly render ↵Mario2022-05-162-5/+12
| | | | observer related content. fix wrong media types.
* fix php errorsMario2022-05-141-3/+3
|
* add the title in forum post resharesMario2022-05-141-0/+1
|
* do not set allowed to true if verb is ACTIVITY_SHARE and slightly changed ↵Mario2022-05-131-3/+7
| | | | logic for conv fetches
* do not stringify integer valueMario2022-05-111-1/+1
|
* update queries in mod search - fixes #1677Mario2022-05-112-27/+24
|
* deal with pleroma reactionsMario2022-05-101-0/+8
|
* use rev instead of _updated and the unix timestamp is less likely to cause ↵Mario2022-05-091-1/+1
| | | | issues in the future
* use addr for webfinger and name for the real name in the userinfo arrayMario2022-05-091-1/+2
|
* add the update date to the icon url. some platforms will not update if the ↵Mario2022-05-071-1/+1
| | | | icon url remains static
* cleanup channel appsMario2022-05-071-24/+0
|
* more cleanupMario2022-05-063-13/+6
|
* some cleanup after moving articles and cards to addonsMario2022-05-063-85/+3
|
* fix core issue #1676 and a liked/disliked/commented confusionMario2022-05-062-9/+40
|
* move wiki to addonsMario2022-05-068-2112/+0
|
* move articles to addon - also remove the pdlMario2022-05-041-14/+0
|
* move articles to addonMario2022-05-042-370/+0
|
* move cards to addonMario2022-05-047-383/+11
|
* changelog and versionMario Vavti2022-04-262-1/+5
|
* hubloc in AS has been moved from data to meta a while agoMario Vavti2022-04-261-2/+2
|
* version bumpMario Vavti2022-04-251-1/+1
|
* more changelogMario Vavti2022-04-251-0/+1
|
* changelogMario Vavti2022-04-251-0/+9
|
* whitespaceMario Vavti2022-04-251-1/+1
|
* if we have not been provided a profile id set the profile id to the default ↵Mario Vavti2022-04-251-0/+4
| | | | profile - fixes #1671
* Merge branch 'dev' of https://framagit.org/hubzilla/core into devMario Vavti2022-04-231-3/+8
|\
| * check if addons have been removed from the filesystem and also remove them ↵Mario2022-04-221-3/+8
| | | | | | | | from the db if that is the case
* | fix regression with incoming poll answers from activitypubMario Vavti2022-04-231-1/+1
|/
* move AP addressing to pubcrawlMario Vavti2022-04-071-122/+14
| | | (cherry picked from commit 1390e1db399c06cb76e191437eb5be24dd95a5c7)
* fixes in regard to hub re-installs: dismiss deleted hublocs, make sure we ↵Mario2022-04-013-11/+11
| | | | use the latest hubloc entry for addressing, in Queue::deliver() prefer primaries since their info is probably more accurate
* fix PHP errorMario2022-03-311-3/+6
|
* update changelogMario Vavti2022-03-291-1/+1
|
* Merge branch 'fix-changelog' into 'dev'Mario2022-03-271-2/+3
|\ | | | | | | | | Update changelog with missing fix and cve See merge request hubzilla/core!2018
| * Update changelog with missing fix and cveHarald Eilertsen2022-03-251-2/+3
|/
* changelogMario2022-03-251-0/+38
|
* bump dev versionMario2022-03-231-1/+1
|
* stringsMario2022-03-232-860/+933
|
* make sure to set comments_closed to the created date if nocomment is setMario Vavti2022-03-231-1/+1
|
* streamline comment policy with downstreamMario2022-03-232-33/+5
|
* Merge branch 'security-fixes-lfi-xss-open-redirect' into 'dev'Mario2022-03-2315-50/+122
|\ | | | | | | | | Security fixes See merge request hubzilla/core!2017
| * CVE-2022-27256: Open redirect via rpath query param.Harald Eilertsen2022-03-2010-27/+27
| | | | | | | | | | | | | | | | Don't follow urls to external sites when submitting forms from the settings modules. This mitigates an Open Redirect vulnerability where an attacker could trick a user to go to an attacker controlled destination. Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
| * Add function is_local_url() to check if url is local.Harald Eilertsen2022-03-202-0/+41
| |
| * CVE-2022-27258: XSS via rpath query param.Harald Eilertsen2022-03-2010-20/+20
| | | | | | | | | | | | | | | | | | | | Escape URLs provided by the rpath query param in settings modules. This prevents a possible Cross-Site scripting vulnerability, where an attacker could inject web scripts and html into the settings form via the rpath query parameter, and have a user execute the script by tricking them to clicking a link. Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
| * Add helper to escape URLs.Harald Eilertsen2022-03-202-0/+32
| | | | | | | | | | | | | | | | | | The escaping makes the URL safe for display and for use in HTML element attributes (such as href="..." etc), but does not guarantee that the URL itself is valid after conversion. This should be good enough for mitigating XSS issues caused by injecting html or javascript into a URL. Also probably good enough for _most_ normal URLs, but there may be devils hidden in the details somewhere.
| * CVE-2022-27257: LFI in Redbasic theme.Harald Eilertsen2022-03-201-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Limit valid chars in schema names, and discard attempts at loading schemas with invalid names. This prevents a local file inclusion vulnerability where an unauthenticated attacker can include arbitrary php files readable by the server process and potentially obtain remote code execution. Valid schema names may consist of ascii letters, numbers, hyphens and underscores. Should be good enough for most cases, I think. Fixes https://framagit.org/hubzilla/core/-/issues/1665
* | Merge branch 'dev' of https://framagit.org/hubzilla/core into devMario2022-03-203-5/+1911
|\ \
| * \ Merge branch 'volse-redbasic-dark' into 'dev'Mario2022-03-203-5/+1911
| |\ \ | | |/ | |/| | | | | | | redbasic/dark: Use bootstrap-nightfall for dark schema. See merge request hubzilla/core!2016