summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-09-17fetch_file_contents: resolve requested hosts and check for possibleAndrew Dolgov
loopback address
2020-09-16build_url: also put query parameters and fragment in resulting URLAndrew Dolgov
rewrite_relative_url: simplify handling of relative URLs
2020-09-16subscribe: allow pre-filling feed URL if passed via query stringAndrew Dolgov
2020-09-16cached_url: block SVG images because of potential javascript insideAndrew Dolgov
2020-09-16pass CSRF token to opml import and feed icon replace dialogsAndrew Dolgov
2020-09-16fix default password nag dialog, load via xhrAndrew Dolgov
2020-09-15editFeed: only try to reload feed tree in preferences if its actually thereAndrew Dolgov
2020-09-15comments link: load in new tabAndrew Dolgov
2020-09-15editarticletags: load dialog via XHRAndrew Dolgov
2020-09-15handler: default base csrf_ignore() to falseAndrew Dolgov
2020-09-15backend handler: require CSRF, remove obsolete codeAndrew Dolgov
2020-09-15public/logout: require valid CSRF tokenAndrew Dolgov
2020-09-15Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protectionAndrew Dolgov
2020-09-15- backend: require CSRF token to be passed via POSTAndrew Dolgov
- do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST
2020-09-15don't pass csrf token as a GET parameter to ArticleAndrew Dolgov
2020-09-15require CSRF token for Article/redirectAndrew Dolgov
2020-09-15- enable CSRF support earlierAndrew Dolgov
- remove rpc/sanityCheck from CSRF-excluded calls
2020-09-15af_proxy_http: require separate token to access imgproxyAndrew Dolgov
2020-09-15rewrite_relative_url: validate resulting absolutized URLsAndrew Dolgov
2020-09-15validate_url: only allow safe ports (80, 443), disallow access to loopbackAndrew Dolgov
2020-09-15validate_url: add clean()Andrew Dolgov
2020-09-15rename base64_img() to image_to_base64()Andrew Dolgov
2020-09-15af_proxy_http: never print received data directly, always redirect to cached_urlAndrew Dolgov
cache/getUrl: basename() passed filename just in case
2020-09-15cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE ↵Andrew Dolgov
hooks
2020-09-15af_redditimgur: don't add embedded blank gif image for rewritten videosAndrew Dolgov
2020-09-14user preferences: forbid < and > characters when changing passwords (were ↵Andrew Dolgov
silently stripped on save because of clean())
2020-09-14public/subscribe: require valid CSRF token when validating the formAndrew Dolgov
2020-09-14remove csrf token from rpc method sanityCheckAndrew Dolgov
2020-09-14- fix multiple vulnerabilities in af_proxy_httpAndrew Dolgov
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized - fetch_file_contents: validate all URLs before requesting them - validate URLs: explicitly whitelist http and https scheme, forbid everything else - DiskCache/cached_url: only serve whitelisted content types (images, video) - simplify filename/URL handling code, remove and consolidate some less-used functions
2020-09-11Merge branch 'weblate-integration'Andrew Dolgov
2020-09-11order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins ↵Andrew Dolgov
to override built-in sorting
2020-08-29properly return counters for labels with zero assigned articlesAndrew Dolgov
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766
2020-08-14Merge branch 'master' of rodneys_mission/tt-rss into masterfox
2020-08-14Silence php 7.2 error message generated in `session_set_cookie_params`.Rodney Stromlund
2020-08-13pluginhost: allow overriding default sort modes via ↵Andrew Dolgov
HOOK_HEADLINES_CUSTOM_SORT_MAP etc
2020-08-13move order_by to SQL override logic into a separate functionAndrew Dolgov
2020-08-11instead of taking batch timestamp and score (?) into account, make oldest ↵Andrew Dolgov
first sorting work consistently with newest first - i.e. rely on feed-provided timestamp
2020-08-10OPML: export/import per-feed purge intervalAndrew Dolgov
2020-08-01Merge branch 'master' of e1e0/tt-rss into masterfox
2020-08-01more int/string type mismatches on getCategoriesPaco Esteban
2020-08-01Merge branch 'master' of e1e0/tt-rss into masterfox
2020-07-31Translated using Weblate (Czech)Marek Pavelka
Currently translated at 100.0% (727 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/cs/
2020-07-31make sure all ints are casted (to int) on getCategoriesPaco Esteban
2020-07-19Translated using Weblate (Norwegian Bokmål)Jan Espen Pedersen
Currently translated at 44.7% (325 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
2020-07-13Merge branch 'master' of rodneys_mission/tt-rss-fix-sanity-urls into masterfox
2020-07-13Update wiki and forums links in error message.Rodney Stromlund
2020-07-09Merge branch 'feed-tree-localstorage' of nanaya/tt-rss into masterfox
2020-07-09Store FeedTree data in localStoragenanaya
Patching internal functions of dijit.Tree as they don't provide option on where to store the data. It stores to cookies by default but the data can get quite big for hundreds of feeds and exceeds cookies size limit. Not to mention it'll cause the cookie to be sent during any request with nothing handling it server side and just wasting bandwidth. This patch will also migrate current data in cookie to local storage accordingly.
2020-07-03Translated using Weblate (Norwegian Bokmål)Jan Espen Pedersen
Currently translated at 44.7% (325 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
2020-07-03Translated using Weblate (Norwegian Bokmål)Anonymous
Currently translated at 44.7% (325 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-16 08:47:41 +0000