Commit Graph

259 Commits (a0ce7f556b41e9fa0683076174b3c12f58178296)

Author SHA1 Message Date
Andrew Dolgov a8302fb253 use X-Real-IP headers if possible while authenticating 4 years ago
Andrew Dolgov 215f388992 move timestamp-related stuff to a separate class 4 years ago
Andrew Dolgov 74568df4ff remove a lot of stuff from global context (functions.php), add a few helper classes instead 4 years ago
Andrew Dolgov 03a337a660 add basic safe mode which doesn't load any user plugins 4 years ago
Andrew Dolgov 37f41a5246 forgotpass: use type strict comparison for reset token 4 years ago
Andrew Dolgov 1f79d614c4 fix OTP QR code not displayed because of CSRF token passed as a query
parameter
use type-strict comparison when validating CSRF token on the backend
4 years ago
Andrew Dolgov 9d3c794983 subscribe: allow pre-filling feed URL if passed via query string 4 years ago
Andrew Dolgov 154417d80b public/logout: require valid CSRF token 4 years ago
Andrew Dolgov 8080c525fd - backend: require CSRF token to be passed via POST
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
4 years ago
Andrew Dolgov da98ba662e public/subscribe: require valid CSRF token when validating the form 4 years ago
Andrew Dolgov c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
4 years ago
Rodney Stromlund 88ced02622 Silence php 7.2 error message generated in `session_set_cookie_params`. 4 years ago
Andrew Dolgov dfa65e9374 move order_by to SQL override logic into a separate function 4 years ago
Andrew Dolgov 48be005774 instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp 4 years ago
Andrew Dolgov 1f2a721905 allow overriding built-in templates via templates.local 5 years ago
Andrew Dolgov bdb1e475e7 external subscribe dialog: support dark theme 5 years ago
Andrew Dolgov b2876f6c72 share anything dialog: support dark theme 5 years ago
Andrew Dolgov 4ab3854aed don't generate default.css, replace with themes/light.css as a default root CSS file 5 years ago
Andrew Dolgov aa56bcaf44 support night mode when using share by URL 5 years ago
Andrew Dolgov f47998f569 generate_syndicated_feed: use local media in generated feeds if it is available 5 years ago
Andrew Dolgov 72d0fac80c remove version.php and VERSION global constant, do version-related things in a slightly less ridiculous way 5 years ago
Andrew Dolgov ef514bc4bd add notifications for mail and password changes
update and shorten some other message templates
5 years ago
Rodney Stromlund 958c4dc124 Removed extra php end tag that was showing in the page title 5 years ago
Andrew Dolgov 3e4701116d af_readability: add missing file 5 years ago
Andrew Dolgov 0e3b71c535 public/pluginhandler: log invalid requests 5 years ago
Andrew Dolgov d4df57e1a4 Article::get_article_image() - also return stream URI if possible 5 years ago
Andrew Dolgov 68e2b05f65 * move get_article_image to Article; implement better og:image detection (similar to android app)
* pass article image to API clients in headlines row object
5 years ago
Andrew Dolgov 39f459eb04 public/cached_url: forbid sending files with extensions 5 years ago
Andrew Dolgov 3c075bfd21 DiskCache: more strict checking for input filenames, getUrl() is no longer static 5 years ago
Andrew Dolgov fdb6066bf6 * HOOK_ENCLOSURE_ENTRY: pass article_id to handler
* DiskCache: multiple fixes; support isWritable() for cache entries, set content-disposition for send()
* public/cached_url: allow selecting files from sub-caches other than images
* plugins/Cache_Starred_Images: rework to use DiskCache, can be enabled per-user, properly handles article enclosures, etc
5 years ago
Andrew Dolgov 133c2b482b move rewrite_cached_urls to DiskCache::rewriteUrls() 5 years ago
Andrew Dolgov b1dd38f880 add DiskCache.getUrl() and use it in a bunch of places 5 years ago
Andrew Dolgov ea30061cce public: fix share() returning random unshared articles if uuid is not given 5 years ago
Andrew Dolgov 4fa9aee4e7 move several more global functions to more appropriate classes 6 years ago
Andrew Dolgov 6d746453c7 get_feeds_from_html: remove XML preamble hack
move several related helper functions to Feeds class
6 years ago
Andrew Dolgov 671f4cee65 domdocument: remove old meta charset unicode hacks, replace with shorter xml preamble utf8 hack (on loadhtml where it makes sense)
af_readability: better (?) charset hack for non-unicode pages
6 years ago
Andrew Dolgov 6ae0a3dd3e share: further improve og:description excerpt logic, minor layout stuff 6 years ago
Andrew Dolgov 74e8661351 share: decode entities in metadata fields so that length limits would make more sense 6 years ago
Andrew Dolgov 19f162dbe3 css: insensitive -> text-muted 6 years ago
Andrew Dolgov 44858ca2dd Merge branch 'master' of git.fakecake.org:tt-rss 6 years ago
Andrew Dolgov e91223ec7d update CLI schema updater with newer warnings 6 years ago
Andrew Dolgov 609662d48c oops, fix typo 6 years ago
Andrew Dolgov 91cfd9c391 dbupdater: add mysql transaction warning 6 years ago
Andrew Dolgov 0881d0a00d some dbupdater improvements; fix schema 136 syntax for mysql 6 years ago
Andrew Dolgov 38e01270d8 archived feeds: expire old entries (schema bump) 6 years ago
Andrew Dolgov ef6d2b8a4e update notifications to make them more visible
cleanup some minor stuff in pref-users
6 years ago
Andrew Dolgov 5b3a73e574 login: switch to absolute redirect urls 6 years ago
Andrew Dolgov 925065b1fe Revert "login: only allow relative URLs in return="
This reverts commit c68ac04020.
6 years ago
Andrew Dolgov c68ac04020 login: only allow relative URLs in return= 6 years ago
Andrew Dolgov cc57ed3775 public/subscribe: add basic dialog to enter feed urls 6 years ago
Andrew Dolgov 54c1b5c611 fill in some missing doctypes; use short doctype where it wasn't 6 years ago
Andrew Dolgov d60038d48b simplify some public.php prompts; prevent from submitting forgotpass form repeatedly if check succeeds 6 years ago
Andrew Dolgov 6701497879 public.php: markup cleanup 6 years ago
Andrew Dolgov be322d6fc8 cleanup sharepopup dialog 6 years ago
Andrew Dolgov d9e20f8b16 update external subscribe dialog 6 years ago
Andrew Dolgov 5ce55faa3b installer: reduce margins; misc fixes 6 years ago
Andrew Dolgov 420e71280a dbupdater: dojoify, add some missing translations 6 years ago
Andrew Dolgov f7a4a45bde pwd reset: use dijit controls 6 years ago
Andrew Dolgov 59df261fb8 forgotpass: slightly better anti-bot protection 6 years ago
Andrew Dolgov 8cd7f31bde utility css updates 6 years ago
Andrew Dolgov c11f32ac38 center and rework some utility screens 6 years ago
Andrew Dolgov b1f9ebe46e get_article_image: ignore data: schema images, other minor fixes 6 years ago
Andrew Dolgov e70d42237a edit options after subscribe: use correct method name 6 years ago
Andrew Dolgov d0d05e4079 zoom mode: hide .attachments 6 years ago
Andrew Dolgov 6a6af964df feed template, ARTICLE_OG_IMAGE: set as optional 6 years ago
Andrew Dolgov 851f62dc4a syndicated feeds:
1. properly reset enclosure template variables if there's no enclosures
2. add ARTICLE_OG_IMAGE which sets flavor image for article using common code with article render etc
6 years ago
Andrew Dolgov b2c079893b move Article::format_article() to Handler_Public 6 years ago
Andrew Dolgov 966fe6d612 #sharepopup: update css 6 years ago
Andrew Dolgov 19e24b4fe2 force cast profile id to integer when assigning to session variable 6 years ago
Andrew Dolgov 29c890b495 login form: use dojo, remove profile hacks 6 years ago
Andrew Dolgov 79c5035920 reset password: use updated mailer parameters properly 6 years ago
Andrew Dolgov 57932e1837 remove PHPMailer and related directives from config.php-dist; add pluggable Mailer class 6 years ago
Andrew Dolgov 253dbd4856 generate_syndicated_feed: add support for virtual feeds provided by plugins 6 years ago
Andrew Dolgov 5f66f872b6 fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks 6 years ago
Andrew Dolgov f8fc1ac543 login: check for stale session in login handler, instead of authenticate_user() 6 years ago
Andrew Dolgov f730d7bb0a another attempt to enforce session ID regeneration on login 6 years ago
Andrew Dolgov 65e98f4086 force regenerate session id on successful login, remove previous blank SID check 6 years ago
Andrew Dolgov 88adf3da1b send_local_file: add application/octet-stream hack
cached_url: return original requested filename to save as
6 years ago
Andrew Dolgov e6532439d6 force strip_tags() on all user input unless explicitly allowed 7 years ago
Andrew Dolgov df5d2a0665 pluginhost: do not connect via legacy DB api until requested
log all initiated legacy database connections
7 years ago
Andrew Dolgov b51d44a5e6 further stylesheet simplification related fixes (2) 7 years ago
Andrew Dolgov 09bc54c690 further stylesheet simplification related fixes 7 years ago
Andrew Dolgov 5e68e24679 css/less updates 7 years ago
Andrew Dolgov 187abfe732 main classes: remove sql_bool_to_bool() kludge 7 years ago
Andrew Dolgov 1d92297a96 dbupdater: use PDO 7 years ago
Andrew Dolgov cb13089af1 public: use PDO headlines result (2) 7 years ago
Andrew Dolgov dc393a580b public: use PDO headlines result 7 years ago
Andrew Dolgov 1271407eea public: partial conversion to PDO, misc fixes 7 years ago
Andrew Dolgov 9dd336a2c3 generate base css files using lessc 7 years ago
Andrew Dolgov 2352c320c2 fix possible sql injection in public/forgotpass 7 years ago
Gilles Grandou 81d96c0dee makes 'order by title' to sort by title and by ascending date
* this allows to chronologically browse all articles with the
  same title.
7 years ago
Andrew Dolgov 8b73bd28d8 remove apache-specific x-sendfile stuff
implement a hook (HOOK_SEND_LOCAL_FILE) which plugins may use to send files
via httpd-specific implementation to increase performance typically on larger files
7 years ago
Andrew Dolgov b2d42e960b replace some usages of SELF_URL_PATH with get_self_url_prefix() 8 years ago
Andrew Dolgov 5b6ea1ef91 remove pubsubhubbub: dead 8 years ago
Andrew Dolgov 2ed0d6c433 move counter cache to a separate class
fix references to get_article_tags
8 years ago
Andrew Dolgov aeb1abedb2 move a bunch of functions into Feeds/Article namespaces
+       static function catchupArticlesById($ids, $cmode, $owner_uid = false) {
+       static function getLastArticleId() {
+       static function queryFeedHeadlines($params) {
+       static function getParentCategories($cat, $owner_uid) {
+       static function getChildCategories($cat, $owner_uid) {

move the rest of functions2.php back to functions.php as it is of more manageable size, remove the former
8 years ago
Andrew Dolgov a230bf88a9 move to Article:
+       static function purge_orphans($do_output = false) {

move to Feeds

+       static function getGlobalUnread($user_id = false) {
+       static function getCategoryTitle($cat_id) {
+       static function getLabelUnread($label_id, $owner_uid = false) {
8 years ago
Andrew Dolgov 86a8351ca2 move the following to Feeds:
+       static function catchup_feed($feed, $cat_view, $owner_uid = false, $mode = 'all', $search = false) {
+       static function getFeedArticles($feed, $is_cat = false, $unread_only = false,
+       static function subscribe_to_feed($url, $cat_id = 0,
+       static function getFeedIcon($id) {
+       static function getFeedTitle($id, $cat = false) {
+       static function getCategoryUnread($cat, $owner_uid = false) {
+       static function getCategoryChildrenUnread($cat, $owner_uid = false) {
8 years ago
Andrew Dolgov 7e5f8d9fb3 move the following to Article:
+       static function format_article_enclosures($id, $always_display_enclosures,
+       static function format_article($id, $mark_as_read = true, $zoom_mode = false, $owner_uid = false) {
+       static function get_article_tags($id, $owner_uid = 0, $tag_cache = false) {
+       static function format_tags_string($tags) {
+       static function format_article_labels($labels) {
+       static function format_article_note($id, $note, $allow_edit = true) {
+       static function get_article_enclosures($id) {
8 years ago
Andrew Dolgov ea79a0e033 remove some redundant php closing tags 8 years ago