summaryrefslogtreecommitdiff
path: root/include
AgeCommit message (Collapse)Author
2021-02-08sanity checks: use better CLI detection, shorten most of the textwip-php8Andrew Dolgov
2021-02-06event log: add paginationAndrew Dolgov
2021-02-06_color_pack: define variable before usingAndrew Dolgov
2021-02-06fix clean() for arrays and user plugin listAndrew Dolgov
2021-02-06more php8 fixes mostly related to loginAndrew Dolgov
2021-02-05initial WIP for php8; bump php version requirement to 7.0Andrew Dolgov
2021-01-07feed editor: show purge interval correctly if FORCE_ARTICLE_PURGE is setAndrew Dolgov
2020-12-20update_rss_feed: fix BLACKLISTED_TAGS not working properly, simplify ↵Andrew Dolgov
tag-related code
2020-12-12Make 'ttrss_error_handler' compatible w/ 8.wn
https://github.com/php/php-src/blob/2d467abc46ec4ee97484d4e35909bed322600037/UPGRADING#L43 https://github.com/php/php-src/blob/2d467abc46ec4ee97484d4e35909bed322600037/UPGRADING#L63
2020-12-12Don't do deprecated 'libxml_disable_entity_loader(true)' under PHP 8.wn
https://github.com/php/php-src/blob/2d467abc46ec4ee97484d4e35909bed322600037/UPGRADING#L886
2020-12-12Switch to 'get_error_types()' to ensure availability in 'include/functions.php'.wn
The global in 'sanity_check()' was null... possibly due to circular requires?
2020-12-12Only do sanity checks for self URL if we can create a valid URL.wn
'sanity_check.php' gets included in 'update.php' and 'update_daemon2.php', where a Host request header is likely not provided.
2020-12-11- move sphinx plugin to a separate repoAndrew Dolgov
- regenerate config checks without sphinx-related variables
2020-11-30add support for an override stylesheet which applies to all usersAndrew Dolgov
2020-10-01enable Farsi locale in the UIAndrew Dolgov
2020-09-30add DAEMON_UNSUCCESSFUL_DAYS_LIMIT tunable (defaults to 30 days)Andrew Dolgov
2020-09-30set session.cookie_lifetime to 0 initially instead of a rather useless min()Andrew Dolgov
2020-09-28schema: add ttrss_feeds.last_successful_updateAndrew Dolgov
2020-09-23move timestamp-related stuff to a separate classAndrew Dolgov
2020-09-22remove a lot of stuff from global context (functions.php), add a few helper ↵Andrew Dolgov
classes instead
2020-09-21clarify some URL validation-related error messagesAndrew Dolgov
2020-09-21clarify some URL validation-related error messagesAndrew Dolgov
2020-09-21update_rss_feed: log effective URL after fetchingAndrew Dolgov
validate_url: treat scheme as case-insensitive
2020-09-20resolve_redirects: fix previousAndrew Dolgov
2020-09-20resolve_redirects: only use three argument version of get_headers() on php 7.1+Andrew Dolgov
2020-09-18add basic safe mode which doesn't load any user pluginsAndrew Dolgov
2020-09-17validate_url: relax requirements for URLs, limit additional port/loopback ↵Andrew Dolgov
filtering to fetch_file_contents()
2020-09-17replace FALSE with false so that static analyzer shuts up about itAndrew Dolgov
2020-09-17rename gettext.inc to gettext.inc.php (cosmetic)Andrew Dolgov
2020-09-17fetch_file_contents: validate effective URL (after redirects) without CURLAndrew Dolgov
2020-09-17fetch_file_contents: validate effective URL (after redirects) if using CURLAndrew Dolgov
2020-09-17don't try to call hash_equals() on unset user tokenAndrew Dolgov
2020-09-17use hash_equals() correctlyAndrew Dolgov
2020-09-17fix several cases of Db class being invoked as wrong name (as DB)Andrew Dolgov
2020-09-17replace some plain http links with httpsAndrew Dolgov
2020-09-17* use get_random_bytes() for CSRF tokenAndrew Dolgov
* get_random_bytes: use PHP7 random_bytes() if it is available * validate CSRF token using hash_equals
2020-09-17fix OTP QR code not displayed because of CSRF token passed as a queryAndrew Dolgov
parameter use type-strict comparison when validating CSRF token on the backend
2020-09-17amend previous to 127/8 subnetAndrew Dolgov
2020-09-17fetch_file_contents: resolve requested hosts and check for possibleAndrew Dolgov
loopback address
2020-09-16build_url: also put query parameters and fragment in resulting URLAndrew Dolgov
rewrite_relative_url: simplify handling of relative URLs
2020-09-16cached_url: block SVG images because of potential javascript insideAndrew Dolgov
2020-09-15don't pass csrf token as a GET parameter to ArticleAndrew Dolgov
2020-09-15rewrite_relative_url: validate resulting absolutized URLsAndrew Dolgov
2020-09-15validate_url: only allow safe ports (80, 443), disallow access to loopbackAndrew Dolgov
2020-09-15validate_url: add clean()Andrew Dolgov
2020-09-15rename base64_img() to image_to_base64()Andrew Dolgov
2020-09-15cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE ↵Andrew Dolgov
hooks
2020-09-14remove csrf token from rpc method sanityCheckAndrew Dolgov
2020-09-14- fix multiple vulnerabilities in af_proxy_httpAndrew Dolgov
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized - fetch_file_contents: validate all URLs before requesting them - validate URLs: explicitly whitelist http and https scheme, forbid everything else - DiskCache/cached_url: only serve whitelisted content types (images, video) - simplify filename/URL handling code, remove and consolidate some less-used functions
2020-07-13Update wiki and forums links in error message.Rodney Stromlund
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-28 05:28:22 +0000