6a4b6cf603
amend previous to 127/8 subnet
4 years ago
213d6330b1
fetch_file_contents: resolve requested hosts and check for possible
...
loopback address
4 years ago
88c4dc405e
build_url: also put query parameters and fragment in resulting URL
...
rewrite_relative_url: simplify handling of relative URLs
4 years ago
9d3c794983
subscribe: allow pre-filling feed URL if passed via query string
4 years ago
da5af2fae0
cached_url: block SVG images because of potential javascript inside
4 years ago
33fdde249e
pass CSRF token to opml import and feed icon replace dialogs
4 years ago
f693ebab21
fix default password nag dialog, load via xhr
4 years ago
77faa5d523
editFeed: only try to reload feed tree in preferences if its actually there
4 years ago
3f9390c45f
comments link: load in new tab
4 years ago
42b5564d1e
editarticletags: load dialog via XHR
4 years ago
0706a328a4
handler: default base csrf_ignore() to false
4 years ago
0a142912d3
backend handler: require CSRF, remove obsolete code
4 years ago
154417d80b
public/logout: require valid CSRF token
4 years ago
cbcb10a272
Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection
4 years ago
8080c525fd
- backend: require CSRF token to be passed via POST
...
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
4 years ago
aeaafefa07
don't pass csrf token as a GET parameter to Article
4 years ago
e670ac2ee5
require CSRF token for Article/redirect
4 years ago
7e50c6c4b5
- enable CSRF support earlier
...
- remove rpc/sanityCheck from CSRF-excluded calls
4 years ago
91e1542a82
af_proxy_http: require separate token to access imgproxy
4 years ago
1621abcffc
rewrite_relative_url: validate resulting absolutized URLs
4 years ago
aa89ea7769
validate_url: only allow safe ports (80, 443), disallow access to loopback
4 years ago
6c02fea641
validate_url: add clean()
4 years ago
4abc7d7898
rename base64_img() to image_to_base64()
4 years ago
79f102c25d
af_proxy_http: never print received data directly, always redirect to cached_url
...
cache/getUrl: basename() passed filename just in case
4 years ago
1ee458b5c1
cached_url: perform mimetype validation before possible HOOK_SEND_LOCAL_FILE hooks
4 years ago
0758397dd8
af_redditimgur: don't add embedded blank gif image for rewritten videos
4 years ago
4a074111b5
user preferences: forbid < and > characters when changing passwords (were silently stripped on save because of clean())
4 years ago
da98ba662e
public/subscribe: require valid CSRF token when validating the form
4 years ago
b4cb67e77f
remove csrf token from rpc method sanityCheck
4 years ago
c3d14e1fa5
- fix multiple vulnerabilities in af_proxy_http
...
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
4 years ago
5b17fdc362
Merge branch 'weblate-integration'
4 years ago
a922b3cc6d
order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins to override built-in sorting
4 years ago
67f02e2aa7
properly return counters for labels with zero assigned articles
...
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766
4 years ago
5497a137de
Merge branch 'master' of rodneys_mission/tt-rss into master
4 years ago
88ced02622
Silence php 7.2 error message generated in `session_set_cookie_params`.
4 years ago
ddf9227dc4
pluginhost: allow overriding default sort modes via HOOK_HEADLINES_CUSTOM_SORT_MAP etc
4 years ago
dfa65e9374
move order_by to SQL override logic into a separate function
4 years ago
48be005774
instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp
4 years ago
05a47e5cf4
OPML: export/import per-feed purge interval
4 years ago
2b50aaed61
Merge branch 'master' of e1e0/tt-rss into master
4 years ago
c4ee0e25a1
more int/string type mismatches on getCategories
4 years ago
86ba8a96c4
Merge branch 'master' of e1e0/tt-rss into master
4 years ago
f99de985c1
Translated using Weblate (Czech)
...
Currently translated at 100.0% (727 of 727 strings)
Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/cs/
4 years ago
3da618e0ea
make sure all ints are casted (to int) on getCategories
4 years ago
68ccc8f636
Translated using Weblate (Norwegian Bokmål)
...
Currently translated at 44.7% (325 of 727 strings)
Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
4 years ago
376fe6271d
Merge branch 'master' of rodneys_mission/tt-rss-fix-sanity-urls into master
4 years ago
376dce02bb
Update wiki and forums links in error message.
4 years ago
3b033a17f4
Merge branch 'feed-tree-localstorage' of nanaya/tt-rss into master
4 years ago
8d8affdc45
Store FeedTree data in localStorage
...
Patching internal functions of dijit.Tree as they don't provide option on where to store the data.
It stores to cookies by default but the data can get quite big for hundreds of feeds and exceeds cookies size limit.
Not to mention it'll cause the cookie to be sent during any request with nothing handling it server side and just wasting bandwidth.
This patch will also migrate current data in cookie to local storage accordingly.
4 years ago
6868b41cd5
Translated using Weblate (Norwegian Bokmål)
...
Currently translated at 44.7% (325 of 727 strings)
Translation: Tiny Tiny RSS/messages
Translate-URL: https://weblate.tt-rss.org/projects/tt-rss/messages/nb_NO/
4 years ago
Andrew Dolgov