Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Add function is_local_url() to check if url is local. | Harald Eilertsen | 2022-03-20 | 2 | -0/+41 |
| | |||||
* | CVE-2022-27258: XSS via rpath query param. | Harald Eilertsen | 2022-03-20 | 10 | -20/+20 |
| | | | | | | | | | | Escape URLs provided by the rpath query param in settings modules. This prevents a possible Cross-Site scripting vulnerability, where an attacker could inject web scripts and html into the settings form via the rpath query parameter, and have a user execute the script by tricking them to clicking a link. Fixes part of https://framagit.org/hubzilla/core/-/issues/1666 | ||||
* | Add helper to escape URLs. | Harald Eilertsen | 2022-03-20 | 2 | -0/+32 |
| | | | | | | | | | The escaping makes the URL safe for display and for use in HTML element attributes (such as href="..." etc), but does not guarantee that the URL itself is valid after conversion. This should be good enough for mitigating XSS issues caused by injecting html or javascript into a URL. Also probably good enough for _most_ normal URLs, but there may be devils hidden in the details somewhere. | ||||
* | CVE-2022-27257: LFI in Redbasic theme. | Harald Eilertsen | 2022-03-20 | 1 | -3/+2 |
| | | | | | | | | | | | | | | Limit valid chars in schema names, and discard attempts at loading schemas with invalid names. This prevents a local file inclusion vulnerability where an unauthenticated attacker can include arbitrary php files readable by the server process and potentially obtain remote code execution. Valid schema names may consist of ascii letters, numbers, hyphens and underscores. Should be good enough for most cases, I think. Fixes https://framagit.org/hubzilla/core/-/issues/1665 | ||||
* | Merge branch 'volse-fix-stylesheet-root-path' into 'dev' | Mario | 2022-03-17 | 2 | -42/+7 |
|\ | | | | | | | | | Use correct base url for stylesheets and js. See merge request hubzilla/core!2015 | ||||
| * | Trim trailing & from query_string. | Harald Eilertsen | 2022-03-13 | 1 | -0/+5 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When trying to fetch an image file from the Cloud module, the default nginx config will add a trailing & if there's no args specified. Example: https://example.com/cloud/username/some_image.png This will be rewritten to: https://example.com/index.php?q=/cloud/username/some_image.png& This in turn will cause the Cloud module to try to redirect back to the original because it does not match the query_string (in which the ampersand has been converted to a question mark). And this will repeat until the browser get's tired of it. | ||||
| * | Remove now unused function script_path. | Harald Eilertsen | 2022-03-03 | 1 | -38/+0 |
| | | |||||
| * | Use correct base url for stylesheets and js. | Harald Eilertsen | 2022-03-03 | 1 | -4/+2 |
| | | | | | | | | | | | | Use z_root instead of script_path when formatting stylesheet and javascript links for the head section. script_path does not preserve information about the port if the site uses a nonstandard port. | ||||
* | | make sure an announce does not overwrite an item we already have and make ↵ | Mario | 2022-03-11 | 1 | -0/+7 |
| | | | | | | | | sure it will be a toplevel post | ||||
* | | whitespace | Mario | 2022-03-10 | 1 | -35/+35 |
| | | |||||
* | | support for hs2019 | Mario | 2022-03-10 | 2 | -16/+61 |
| | | |||||
* | | move attachments to the top | Mario | 2022-03-05 | 1 | -5/+5 |
| | | |||||
* | | remove logging | Mario | 2022-03-04 | 1 | -1/+1 |
| | | |||||
* | | event fixes | Mario | 2022-03-04 | 2 | -6/+10 |
| | | |||||
* | | bump version | Mario | 2022-03-04 | 1 | -1/+1 |
| | | |||||
* | | fix regression | Mario | 2022-03-04 | 1 | -2/+2 |
| | | |||||
* | | streamline event activity handling | Mario | 2022-03-04 | 2 | -61/+208 |
| | | |||||
* | | bump version | Mario | 2022-03-04 | 1 | -1/+1 |
| | | |||||
* | | port some ap quirks from the addon | Mario | 2022-03-04 | 1 | -15/+50 |
| | | |||||
* | | more work on enhanced content filters | Mario | 2022-03-03 | 2 | -3/+39 |
|/ | |||||
* | fix duplicate ids in login form and move login/register buttons into the ↵ | Mario | 2022-03-03 | 6 | -47/+57 |
| | | | | hamburger menu on small screens | ||||
* | collect the accept headers in an array | Mario | 2022-03-03 | 1 | -2/+6 |
| | |||||
* | Merge branch 'dev' of https://framagit.org/hubzilla/core into dev | Mario | 2022-03-02 | 1 | -2/+2 |
|\ | |||||
| * | Merge branch 't0rum-master-patch-68993' into 'master' | Mario | 2022-03-01 | 1 | -2/+2 |
| | | | | | | | | | | | | | | | | | | Typo in Setup.php prevents users from using Postgres See merge request hubzilla/core!2014 (cherry picked from commit 0e2e9321025f87fe9587f3d183adaea6185e4e20) d384f55d Typo in Setup.php prevents users from using Postgres | ||||
* | | composer updates | Mario | 2022-03-02 | 10 | -132/+145 |
| | | |||||
* | | port some peertube tweeks from pubcrawl to lib/activity | Mario | 2022-03-02 | 1 | -20/+47 |
|/ | |||||
* | fix feedutils regression | Mario | 2022-03-01 | 1 | -4/+4 |
| | |||||
* | enhanced content filters | Mario | 2022-03-01 | 8 | -90/+285 |
| | |||||
* | make gprobe deal with URLs, fix issue in get_actor_protocols and fix missing ↵ | Mario | 2022-02-28 | 3 | -15/+41 |
| | | | | author issue if wall2wall comment arrives and author is not yet known | ||||
* | missing content region for directory | Mario | 2022-02-23 | 1 | -0/+3 |
| | |||||
* | widget descriptions and add content region to all pdl files for convenience | Mario | 2022-02-23 | 89 | -91/+345 |
| | |||||
* | bump version | Mario | 2022-02-21 | 1 | -1/+1 |
| | |||||
* | this was required for old style forum posts only and should not be needed ↵ | Mario | 2022-02-21 | 1 | -9/+11 |
| | | | | anymore | ||||
* | do not require network for forums widget | Mario | 2022-02-21 | 1 | -1/+0 |
| | |||||
* | remove deprecated widgets and add some more widget descriptions | Mario | 2022-02-21 | 27 | -166/+148 |
| | |||||
* | merge branch pdledit_gui into dev - many widgets still miss their ↵ | Mario | 2022-02-20 | 26 | -41/+1049 |
| | | | | description and requirements (this is work in progress) | ||||
* | thr_parent lost across edits | Mario | 2022-02-18 | 1 | -0/+1 |
| | |||||
* | composer update | Mario | 2022-02-18 | 2 | -12/+12 |
| | |||||
* | Merge branch 'undefined' into 'dev' | Mario | 2022-02-15 | 1 | -29/+60 |
|\ | | | | | | | | | Replace htconfig.tpl fr See merge request hubzilla/core!2008 | ||||
| * | Replace htconfig.tpl fr | Dan d'Auge | 2022-02-13 | 1 | -29/+60 |
| | | |||||
* | | Merge branch 'dandauge-dev-patch-02109' into 'dev' | Mario | 2022-02-15 | 1 | -30/+32 |
|\ \ | | | | | | | | | | | | | Update lostpass_eml.tpl fr See merge request hubzilla/core!2009 | ||||
| * | | Update lostpass_eml.tpl fr | Dan d'Auge | 2022-02-13 | 1 | -30/+32 |
| |/ | |||||
* | | Merge branch 'dandauge-dev-patch-69038' into 'dev' | Mario | 2022-02-15 | 1 | -0/+1 |
|\ \ | | | | | | | | | | | | | Upload New File : invite.material.subject.tpl fr See merge request hubzilla/core!2010 | ||||
| * | | Upload New File : invite.material.subject.tpl fr | Dan d'Auge | 2022-02-13 | 1 | -0/+1 |
| |/ | |||||
* | | Merge branch 'dandauge-dev-patch-34611' into 'dev' | Mario | 2022-02-15 | 1 | -0/+1 |
|\ \ | | | | | | | | | | | | | Upload New File : invite.material.tpl fr See merge request hubzilla/core!2011 | ||||
| * | | Upload New File : invite.material.tpl fr | Dan d'Auge | 2022-02-13 | 1 | -0/+1 |
| |/ | |||||
* | | Merge branch 'dandauge-dev-patch-30995' into 'dev' | Mario | 2022-02-15 | 1 | -19/+21 |
|\ \ | | | | | | | | | | | | | Update passchanged_eml.tpl fr See merge request hubzilla/core!2012 | ||||
| * | | Update passchanged_eml.tpl fr | Dan d'Auge | 2022-02-13 | 1 | -19/+21 |
| |/ | |||||
* | | Merge branch 'dandauge-dev-patch-92660' into 'dev' | Mario | 2022-02-15 | 1 | -16/+21 |
|\ \ | | | | | | | | | | | | | Update update_fail_eml.tpl fr See merge request hubzilla/core!2013 | ||||
| * | | Update update_fail_eml.tpl fr | Dan d'Auge | 2022-02-13 | 1 | -16/+21 |
| |/ |