Age | Commit message (Collapse) | Author | |
---|---|---|---|
2020-12-12 | Make 'ttrss_error_handler' compatible w/ 8. | wn | |
https://github.com/php/php-src/blob/2d467abc46ec4ee97484d4e35909bed322600037/UPGRADING#L43 https://github.com/php/php-src/blob/2d467abc46ec4ee97484d4e35909bed322600037/UPGRADING#L63 | |||
2020-12-12 | Don't do deprecated 'libxml_disable_entity_loader(true)' under PHP 8. | wn | |
https://github.com/php/php-src/blob/2d467abc46ec4ee97484d4e35909bed322600037/UPGRADING#L886 | |||
2020-12-12 | Switch to 'get_error_types()' to ensure availability in 'include/functions.php'. | wn | |
The global in 'sanity_check()' was null... possibly due to circular requires? | |||
2020-12-12 | Only do sanity checks for self URL if we can create a valid URL. | wn | |
'sanity_check.php' gets included in 'update.php' and 'update_daemon2.php', where a Host request header is likely not provided. | |||
2020-12-11 | - move sphinx plugin to a separate repo | Andrew Dolgov | |
- regenerate config checks without sphinx-related variables | |||
2020-11-30 | add support for an override stylesheet which applies to all users | Andrew Dolgov | |
2020-10-01 | enable Farsi locale in the UI | Andrew Dolgov | |
2020-09-30 | add DAEMON_UNSUCCESSFUL_DAYS_LIMIT tunable (defaults to 30 days) | Andrew Dolgov | |
2020-09-30 | set session.cookie_lifetime to 0 initially instead of a rather useless min() | Andrew Dolgov | |
2020-09-28 | schema: add ttrss_feeds.last_successful_update | Andrew Dolgov | |
2020-09-23 | move timestamp-related stuff to a separate class | Andrew Dolgov | |
2020-09-22 | remove a lot of stuff from global context (functions.php), add a few helper ↵ | Andrew Dolgov | |
classes instead | |||
2020-09-21 | clarify some URL validation-related error messages | Andrew Dolgov | |
2020-09-21 | clarify some URL validation-related error messages | Andrew Dolgov | |
2020-09-21 | update_rss_feed: log effective URL after fetching | Andrew Dolgov | |
validate_url: treat scheme as case-insensitive | |||
2020-09-20 | resolve_redirects: fix previous | Andrew Dolgov | |
2020-09-20 | resolve_redirects: only use three argument version of get_headers() on php 7.1+ | Andrew Dolgov | |
2020-09-18 | add basic safe mode which doesn't load any user plugins | Andrew Dolgov | |
2020-09-17 | validate_url: relax requirements for URLs, limit additional port/loopback ↵ | Andrew Dolgov | |
filtering to fetch_file_contents() | |||
2020-09-17 | replace FALSE with false so that static analyzer shuts up about it | Andrew Dolgov | |
2020-09-17 | rename gettext.inc to gettext.inc.php (cosmetic) | Andrew Dolgov | |
2020-09-17 | fetch_file_contents: validate effective URL (after redirects) without CURL | Andrew Dolgov | |
2020-09-17 | fetch_file_contents: validate effective URL (after redirects) if using CURL | Andrew Dolgov | |
2020-09-17 | don't try to call hash_equals() on unset user token | Andrew Dolgov | |
2020-09-17 | use hash_equals() correctly | Andrew Dolgov | |
2020-09-17 | fix several cases of Db class being invoked as wrong name (as DB) | Andrew Dolgov | |
2020-09-17 | replace some plain http links with https | Andrew Dolgov | |
2020-09-17 | * use get_random_bytes() for CSRF token | Andrew Dolgov | |
* get_random_bytes: use PHP7 random_bytes() if it is available * validate CSRF token using hash_equals | |||
2020-09-17 | fix OTP QR code not displayed because of CSRF token passed as a query | Andrew Dolgov | |
parameter use type-strict comparison when validating CSRF token on the backend | |||
2020-09-17 | amend previous to 127/8 subnet | Andrew Dolgov | |
2020-09-17 | fetch_file_contents: resolve requested hosts and check for possible | Andrew Dolgov | |
loopback address | |||
2020-09-16 | build_url: also put query parameters and fragment in resulting URL | Andrew Dolgov | |
rewrite_relative_url: simplify handling of relative URLs | |||
2020-09-16 | cached_url: block SVG images because of potential javascript inside | Andrew Dolgov | |
2020-09-15 | don't pass csrf token as a GET parameter to Article | Andrew Dolgov | |
2020-09-15 | rewrite_relative_url: validate resulting absolutized URLs | Andrew Dolgov | |
2020-09-15 | validate_url: only allow safe ports (80, 443), disallow access to loopback | Andrew Dolgov | |
2020-09-15 | validate_url: add clean() | Andrew Dolgov | |
2020-09-15 | rename base64_img() to image_to_base64() | Andrew Dolgov | |
2020-09-15 | cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE ↵ | Andrew Dolgov | |
hooks | |||
2020-09-14 | remove csrf token from rpc method sanityCheck | Andrew Dolgov | |
2020-09-14 | - fix multiple vulnerabilities in af_proxy_http | Andrew Dolgov | |
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized - fetch_file_contents: validate all URLs before requesting them - validate URLs: explicitly whitelist http and https scheme, forbid everything else - DiskCache/cached_url: only serve whitelisted content types (images, video) - simplify filename/URL handling code, remove and consolidate some less-used functions | |||
2020-07-13 | Update wiki and forums links in error message. | Rodney Stromlund | |
2020-06-15 | better support for image srcset attributes as discussed in ↵ | Andrew Dolgov | |
https://community.tt-rss.org/t/problem-with-img-srcset/3519 | |||
2020-05-23 | only bind up/down in 3 panel mode | Andrew Dolgov | |
2020-05-23 | Revert "unbind up/down by default (use native scrolling for consistency with ↵ | Andrew Dolgov | |
pgup/pgdn)" This reverts commit 6fc18e450b72306693de8723464f4176e73c5a5b. | |||
2020-05-23 | unbind up/down by default (use native scrolling for consistency with pgup/pgdn) | Andrew Dolgov | |
2020-05-17 | implement keyboard-related changes discussed in ↵ | Andrew Dolgov | |
https://community.tt-rss.org/t/changing-the-amount-of-scroll-by-arrow-key/3452/7 | |||
2020-05-15 | Make iframes size responsively. | JustAMacUser | |
2020-05-09 | sanitize: forbid "allow" attribute | Andrew Dolgov | |
CSS: remove auto hyphens stuff, remove iframe width clipping to 98% because they get squished | |||
2020-05-09 | add hotkey "\" to cancel current search | Andrew Dolgov | |