summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-09-21clarify some URL validation-related error messagesAndrew Dolgov
2020-09-21clarify some URL validation-related error messagesAndrew Dolgov
2020-09-21update_rss_feed: log effective URL after fetchingAndrew Dolgov
validate_url: treat scheme as case-insensitive
2020-09-20resolve_redirects: fix previousAndrew Dolgov
2020-09-20resolve_redirects: only use three argument version of get_headers() on php 7.1+Andrew Dolgov
2020-09-19update URL pointing to version.jsonAndrew Dolgov
2020-09-19Merge branch 'gettext-const-scope' of JustAMacUser/tt-rss into masterfox
2020-09-18Remove `private` scope for class constants.JustAMacUser
This change branches from the merged patch by Sunil Mohan Adapa's for Debian's package.
2020-09-18add basic safe mode which doesn't load any user pluginsAndrew Dolgov
2020-09-18- gettext: merge patch from Sunil Mohan Adapa which rewrites plural parser ↵Andrew Dolgov
to not use eval() - fix typo in aforementioned patch which caused plurals to never load - update code again to newer PHP constructor syntax
2020-09-18prevent source errors from crashing gulp watchAndrew Dolgov
2020-09-17add eslint to package.jsonAndrew Dolgov
2020-09-17add less to package.jsonAndrew Dolgov
2020-09-17validate_url: relax requirements for URLs, limit additional port/loopback ↵Andrew Dolgov
filtering to fetch_file_contents()
2020-09-17replace FALSE with false so that static analyzer shuts up about itAndrew Dolgov
2020-09-17rename gettext.inc to gettext.inc.php (cosmetic)Andrew Dolgov
2020-09-17auth_internal: cast OTP code to integer before trying to check itAndrew Dolgov
2020-09-17fetch_file_contents: validate effective URL (after redirects) without CURLAndrew Dolgov
2020-09-17fetch_file_contents: validate effective URL (after redirects) if using CURLAndrew Dolgov
2020-09-17don't try to update manually disabled feeds even if they haven't been ↵Andrew Dolgov
updated before or are marked for a manual update
2020-09-17add gulp task for less compilationAndrew Dolgov
2020-09-17add makefile for less to css compilationAndrew Dolgov
2020-09-17forgotpass: use type strict comparison for reset tokenAndrew Dolgov
2020-09-17don't try to call hash_equals() on unset user tokenAndrew Dolgov
2020-09-17use hash_equals() correctlyAndrew Dolgov
2020-09-17fix several cases of Db class being invoked as wrong name (as DB)Andrew Dolgov
2020-09-17replace some plain http links with httpsAndrew Dolgov
2020-09-17* use get_random_bytes() for CSRF tokenAndrew Dolgov
* get_random_bytes: use PHP7 random_bytes() if it is available * validate CSRF token using hash_equals
2020-09-17auth_internal: use type-strict comparison when checking OTP codeAndrew Dolgov
2020-09-17fix typo in previousAndrew Dolgov
2020-09-17fix OTP QR code not displayed because of CSRF token passed as a queryAndrew Dolgov
parameter use type-strict comparison when validating CSRF token on the backend
2020-09-17amend previous to 127/8 subnetAndrew Dolgov
2020-09-17fetch_file_contents: resolve requested hosts and check for possibleAndrew Dolgov
loopback address
2020-09-16build_url: also put query parameters and fragment in resulting URLAndrew Dolgov
rewrite_relative_url: simplify handling of relative URLs
2020-09-16subscribe: allow pre-filling feed URL if passed via query stringAndrew Dolgov
2020-09-16cached_url: block SVG images because of potential javascript insideAndrew Dolgov
2020-09-16pass CSRF token to opml import and feed icon replace dialogsAndrew Dolgov
2020-09-16fix default password nag dialog, load via xhrAndrew Dolgov
2020-09-15editFeed: only try to reload feed tree in preferences if its actually thereAndrew Dolgov
2020-09-15comments link: load in new tabAndrew Dolgov
2020-09-15editarticletags: load dialog via XHRAndrew Dolgov
2020-09-15handler: default base csrf_ignore() to falseAndrew Dolgov
2020-09-15backend handler: require CSRF, remove obsolete codeAndrew Dolgov
2020-09-15public/logout: require valid CSRF tokenAndrew Dolgov
2020-09-15Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protectionAndrew Dolgov
2020-09-15- backend: require CSRF token to be passed via POSTAndrew Dolgov
- do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST
2020-09-15don't pass csrf token as a GET parameter to ArticleAndrew Dolgov
2020-09-15require CSRF token for Article/redirectAndrew Dolgov
2020-09-15- enable CSRF support earlierAndrew Dolgov
- remove rpc/sanityCheck from CSRF-excluded calls
2020-09-15af_proxy_http: require separate token to access imgproxyAndrew Dolgov
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 08:49:40 +0000