35b6d63289
af_proxy_http: don't try to proxy back to ourselves
4 years ago
f58c49beaa
replace a few more controls to new style
4 years ago
1f43d7916c
replace print_hidden with hidden_tag
4 years ago
166f2d4666
diskcache: unify naming
4 years ago
7874f6ac58
remove PHPMD.UnusedFormalParameter
4 years ago
403dca154c
initial WIP for php8; bump php version requirement to 7.0
4 years ago
65b3926ae5
Ensure proxy_all setting is saved in database.
4 years ago
74568df4ff
remove a lot of stuff from global context (functions.php), add a few helper classes instead
4 years ago
a817d3794d
* use get_random_bytes() for CSRF token
...
* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
4 years ago
91e1542a82
af_proxy_http: require separate token to access imgproxy
4 years ago
79f102c25d
af_proxy_http: never print received data directly, always redirect to cached_url
...
cache/getUrl: basename() passed filename just in case
4 years ago
c3d14e1fa5
- fix multiple vulnerabilities in af_proxy_http
...
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
4 years ago
10c63ed582
pluginhost: add helper methods to get private/public pluginmethod endpoint URLs
5 years ago
bdf29856fb
fix several leftover mentions of old (renamed) class name, duh
5 years ago
de5669f723
af_zz_imgproxy: rename to af_proxy_http, use priority hook loader
5 years ago
Andrew Dolgov