Age | Commit message (Collapse) | Author | |
---|---|---|---|
2020-10-11 | Ensure proxy_all setting is saved in database. | JustAMacUser | |
2020-09-22 | remove a lot of stuff from global context (functions.php), add a few helper ↵ | Andrew Dolgov | |
classes instead | |||
2020-09-17 | * use get_random_bytes() for CSRF token | Andrew Dolgov | |
* get_random_bytes: use PHP7 random_bytes() if it is available * validate CSRF token using hash_equals | |||
2020-09-15 | af_proxy_http: require separate token to access imgproxy | Andrew Dolgov | |
2020-09-15 | af_proxy_http: never print received data directly, always redirect to cached_url | Andrew Dolgov | |
cache/getUrl: basename() passed filename just in case | |||
2020-09-14 | - fix multiple vulnerabilities in af_proxy_http | Andrew Dolgov | |
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized - fetch_file_contents: validate all URLs before requesting them - validate URLs: explicitly whitelist http and https scheme, forbid everything else - DiskCache/cached_url: only serve whitelisted content types (images, video) - simplify filename/URL handling code, remove and consolidate some less-used functions | |||
2019-08-15 | pluginhost: add helper methods to get private/public pluginmethod endpoint URLs | Andrew Dolgov | |
2019-08-15 | fix several leftover mentions of old (renamed) class name, duh | Andrew Dolgov | |
2019-08-15 | af_zz_imgproxy: rename to af_proxy_http, use priority hook loader | Andrew Dolgov | |