aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'security-fixes-lfi-xss-open-redirect' into 'dev'Mario2022-03-2315-50/+122
|\ | | | | | | | | Security fixes See merge request hubzilla/core!2017
| * CVE-2022-27256: Open redirect via rpath query param.Harald Eilertsen2022-03-2010-27/+27
| | | | | | | | | | | | | | | | Don't follow urls to external sites when submitting forms from the settings modules. This mitigates an Open Redirect vulnerability where an attacker could trick a user to go to an attacker controlled destination. Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
| * Add function is_local_url() to check if url is local.Harald Eilertsen2022-03-202-0/+41
| |
| * CVE-2022-27258: XSS via rpath query param.Harald Eilertsen2022-03-2010-20/+20
| | | | | | | | | | | | | | | | | | | | Escape URLs provided by the rpath query param in settings modules. This prevents a possible Cross-Site scripting vulnerability, where an attacker could inject web scripts and html into the settings form via the rpath query parameter, and have a user execute the script by tricking them to clicking a link. Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
| * Add helper to escape URLs.Harald Eilertsen2022-03-202-0/+32
| | | | | | | | | | | | | | | | | | The escaping makes the URL safe for display and for use in HTML element attributes (such as href="..." etc), but does not guarantee that the URL itself is valid after conversion. This should be good enough for mitigating XSS issues caused by injecting html or javascript into a URL. Also probably good enough for _most_ normal URLs, but there may be devils hidden in the details somewhere.
| * CVE-2022-27257: LFI in Redbasic theme.Harald Eilertsen2022-03-201-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Limit valid chars in schema names, and discard attempts at loading schemas with invalid names. This prevents a local file inclusion vulnerability where an unauthenticated attacker can include arbitrary php files readable by the server process and potentially obtain remote code execution. Valid schema names may consist of ascii letters, numbers, hyphens and underscores. Should be good enough for most cases, I think. Fixes https://framagit.org/hubzilla/core/-/issues/1665
* | Merge branch 'dev' of https://framagit.org/hubzilla/core into devMario2022-03-203-5/+1911
|\ \
| * \ Merge branch 'volse-redbasic-dark' into 'dev'Mario2022-03-203-5/+1911
| |\ \ | | |/ | |/| | | | | | | redbasic/dark: Use bootstrap-nightfall for dark schema. See merge request hubzilla/core!2016
| | * redbasic/dark: Tune button colours a bit.Harald Eilertsen2022-03-131-5/+5
| | | | | | | | | | | | Makes buttons a bit less bright so they don't stick out quite as much.
| | * redbasic/dark: Use schema colour for dropdown itemHarald Eilertsen2022-03-131-0/+4
| | |
| | * redbasic/dark: Use bootstrap-nightfall for dark schema.Harald Eilertsen2022-03-132-0/+1902
| | | | | | | | | | | | | | | | | | | | | This is a color only stylesheet, modifying the original Bootstrap colors to a dark variant. Insert this as base before the redbasic dark schema modifications, and any custom modifications to have a nicer base for the dark schema.
* | | add the signing algo to zotinfo, and store it in import_xchan() if presentMario2022-03-202-0/+9
|/ /
* | Merge branch 'volse-fix-stylesheet-root-path' into 'dev'Mario2022-03-172-42/+7
|\ \ | | | | | | | | | | | | Use correct base url for stylesheets and js. See merge request hubzilla/core!2015
| * | Trim trailing & from query_string.Harald Eilertsen2022-03-131-0/+5
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When trying to fetch an image file from the Cloud module, the default nginx config will add a trailing & if there's no args specified. Example: https://example.com/cloud/username/some_image.png This will be rewritten to: https://example.com/index.php?q=/cloud/username/some_image.png& This in turn will cause the Cloud module to try to redirect back to the original because it does not match the query_string (in which the ampersand has been converted to a question mark). And this will repeat until the browser get's tired of it.
| * Remove now unused function script_path.Harald Eilertsen2022-03-031-38/+0
| |
| * Use correct base url for stylesheets and js.Harald Eilertsen2022-03-031-4/+2
| | | | | | | | | | | | Use z_root instead of script_path when formatting stylesheet and javascript links for the head section. script_path does not preserve information about the port if the site uses a nonstandard port.
* | make sure an announce does not overwrite an item we already have and make ↵Mario2022-03-111-0/+7
| | | | | | | | sure it will be a toplevel post
* | whitespaceMario2022-03-101-35/+35
| |
* | support for hs2019Mario2022-03-102-16/+61
| |
* | move attachments to the topMario2022-03-051-5/+5
| |
* | remove loggingMario2022-03-041-1/+1
| |
* | event fixesMario2022-03-042-6/+10
| |
* | bump versionMario2022-03-041-1/+1
| |
* | fix regressionMario2022-03-041-2/+2
| |
* | streamline event activity handlingMario2022-03-042-61/+208
| |
* | bump versionMario2022-03-041-1/+1
| |
* | port some ap quirks from the addonMario2022-03-041-15/+50
| |
* | more work on enhanced content filtersMario2022-03-032-3/+39
|/
* fix duplicate ids in login form and move login/register buttons into the ↵Mario2022-03-036-47/+57
| | | | hamburger menu on small screens
* collect the accept headers in an arrayMario2022-03-031-2/+6
|
* Merge branch 'dev' of https://framagit.org/hubzilla/core into devMario2022-03-021-2/+2
|\
| * Merge branch 't0rum-master-patch-68993' into 'master'Mario2022-03-011-2/+2
| | | | | | | | | | | | | | | | | | Typo in Setup.php prevents users from using Postgres See merge request hubzilla/core!2014 (cherry picked from commit 0e2e9321025f87fe9587f3d183adaea6185e4e20) d384f55d Typo in Setup.php prevents users from using Postgres
* | composer updatesMario2022-03-0210-132/+145
| |
* | port some peertube tweeks from pubcrawl to lib/activityMario2022-03-021-20/+47
|/
* fix feedutils regressionMario2022-03-011-4/+4
|
* enhanced content filtersMario2022-03-018-90/+285
|
* make gprobe deal with URLs, fix issue in get_actor_protocols and fix missing ↵Mario2022-02-283-15/+41
| | | | author issue if wall2wall comment arrives and author is not yet known
* missing content region for directoryMario2022-02-231-0/+3
|
* widget descriptions and add content region to all pdl files for convenienceMario2022-02-2389-91/+345
|
* bump versionMario2022-02-211-1/+1
|
* this was required for old style forum posts only and should not be needed ↵Mario2022-02-211-9/+11
| | | | anymore
* do not require network for forums widgetMario2022-02-211-1/+0
|
* remove deprecated widgets and add some more widget descriptionsMario2022-02-2127-166/+148
|
* merge branch pdledit_gui into dev - many widgets still miss their ↵Mario2022-02-2026-41/+1049
| | | | description and requirements (this is work in progress)
* thr_parent lost across editsMario2022-02-181-0/+1
|
* composer updateMario2022-02-182-12/+12
|
* Merge branch 'undefined' into 'dev'Mario2022-02-151-29/+60
|\ | | | | | | | | Replace htconfig.tpl fr See merge request hubzilla/core!2008
| * Replace htconfig.tpl frDan d'Auge2022-02-131-29/+60
| |
* | Merge branch 'dandauge-dev-patch-02109' into 'dev'Mario2022-02-151-30/+32
|\ \ | | | | | | | | | | | | Update lostpass_eml.tpl fr See merge request hubzilla/core!2009
| * | Update lostpass_eml.tpl frDan d'Auge2022-02-131-30/+32
| |/