Age | Commit message (Collapse) | Author | |
---|---|---|---|
2020-09-17 | replace some plain http links with https | Andrew Dolgov | |
2020-09-17 | * use get_random_bytes() for CSRF token | Andrew Dolgov | |
* get_random_bytes: use PHP7 random_bytes() if it is available * validate CSRF token using hash_equals | |||
2020-09-17 | auth_internal: use type-strict comparison when checking OTP code | Andrew Dolgov | |
2020-09-17 | fix typo in previous | Andrew Dolgov | |
2020-09-17 | fix OTP QR code not displayed because of CSRF token passed as a query | Andrew Dolgov | |
parameter use type-strict comparison when validating CSRF token on the backend | |||
2020-09-17 | amend previous to 127/8 subnet | Andrew Dolgov | |
2020-09-17 | fetch_file_contents: resolve requested hosts and check for possible | Andrew Dolgov | |
loopback address | |||
2020-09-16 | build_url: also put query parameters and fragment in resulting URL | Andrew Dolgov | |
rewrite_relative_url: simplify handling of relative URLs | |||
2020-09-16 | subscribe: allow pre-filling feed URL if passed via query string | Andrew Dolgov | |
2020-09-16 | cached_url: block SVG images because of potential javascript inside | Andrew Dolgov | |
2020-09-16 | pass CSRF token to opml import and feed icon replace dialogs | Andrew Dolgov | |
2020-09-16 | fix default password nag dialog, load via xhr | Andrew Dolgov | |
2020-09-15 | editFeed: only try to reload feed tree in preferences if its actually there | Andrew Dolgov | |
2020-09-15 | comments link: load in new tab | Andrew Dolgov | |
2020-09-15 | editarticletags: load dialog via XHR | Andrew Dolgov | |
2020-09-15 | handler: default base csrf_ignore() to false | Andrew Dolgov | |
2020-09-15 | backend handler: require CSRF, remove obsolete code | Andrew Dolgov | |
2020-09-15 | public/logout: require valid CSRF token | Andrew Dolgov | |
2020-09-15 | Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection | Andrew Dolgov | |
2020-09-15 | - backend: require CSRF token to be passed via POST | Andrew Dolgov | |
- do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST | |||
2020-09-15 | don't pass csrf token as a GET parameter to Article | Andrew Dolgov | |
2020-09-15 | require CSRF token for Article/redirect | Andrew Dolgov | |
2020-09-15 | - enable CSRF support earlier | Andrew Dolgov | |
- remove rpc/sanityCheck from CSRF-excluded calls | |||
2020-09-15 | af_proxy_http: require separate token to access imgproxy | Andrew Dolgov | |
2020-09-15 | rewrite_relative_url: validate resulting absolutized URLs | Andrew Dolgov | |
2020-09-15 | validate_url: only allow safe ports (80, 443), disallow access to loopback | Andrew Dolgov | |
2020-09-15 | validate_url: add clean() | Andrew Dolgov | |
2020-09-15 | rename base64_img() to image_to_base64() | Andrew Dolgov | |
2020-09-15 | af_proxy_http: never print received data directly, always redirect to cached_url | Andrew Dolgov | |
cache/getUrl: basename() passed filename just in case | |||
2020-09-15 | cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE ↵ | Andrew Dolgov | |
hooks | |||
2020-09-15 | af_redditimgur: don't add embedded blank gif image for rewritten videos | Andrew Dolgov | |
2020-09-14 | user preferences: forbid < and > characters when changing passwords (were ↵ | Andrew Dolgov | |
silently stripped on save because of clean()) | |||
2020-09-14 | public/subscribe: require valid CSRF token when validating the form | Andrew Dolgov | |
2020-09-14 | remove csrf token from rpc method sanityCheck | Andrew Dolgov | |
2020-09-14 | - fix multiple vulnerabilities in af_proxy_http | Andrew Dolgov | |
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized - fetch_file_contents: validate all URLs before requesting them - validate URLs: explicitly whitelist http and https scheme, forbid everything else - DiskCache/cached_url: only serve whitelisted content types (images, video) - simplify filename/URL handling code, remove and consolidate some less-used functions | |||
2020-09-11 | Merge branch 'weblate-integration' | Andrew Dolgov | |
2020-09-11 | order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins ↵ | Andrew Dolgov | |
to override built-in sorting | |||
2020-08-29 | properly return counters for labels with zero assigned articles | Andrew Dolgov | |
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766 | |||
2020-08-14 | Merge branch 'master' of rodneys_mission/tt-rss into master | fox | |
2020-08-14 | Silence php 7.2 error message generated in `session_set_cookie_params`. | Rodney Stromlund | |
2020-08-13 | pluginhost: allow overriding default sort modes via ↵ | Andrew Dolgov | |
HOOK_HEADLINES_CUSTOM_SORT_MAP etc | |||
2020-08-13 | move order_by to SQL override logic into a separate function | Andrew Dolgov | |
2020-08-11 | instead of taking batch timestamp and score (?) into account, make oldest ↵ | Andrew Dolgov | |
first sorting work consistently with newest first - i.e. rely on feed-provided timestamp | |||
2020-08-10 | OPML: export/import per-feed purge interval | Andrew Dolgov | |
2020-08-01 | Merge branch 'master' of e1e0/tt-rss into master | fox | |
2020-08-01 | more int/string type mismatches on getCategories | Paco Esteban | |
2020-08-01 | Merge branch 'master' of e1e0/tt-rss into master | fox | |
2020-07-31 | Translated using Weblate (Czech) | Marek Pavelka | |
Currently translated at 100.0% (727 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/cs/ | |||
2020-07-31 | make sure all ints are casted (to int) on getCategories | Paco Esteban | |
2020-07-19 | Translated using Weblate (Norwegian Bokmål) | Jan Espen Pedersen | |
Currently translated at 44.7% (325 of 727 strings) Translation: Tiny Tiny RSS/messages Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/ |