Commit Graph

1712 Commits (a14873d5b4bde01f1470db5a2bb0d49ac0c8cd3c)

Author SHA1 Message Date
Andrew Dolgov a897c4165b validate URLs: convert IDN to punycode before passing URL to filter_var() 4 years ago
Andrew Dolgov 6811d0bde2 use self:: in some places to invoke static methods from the same class 4 years ago
Andrew Dolgov b5710baf34 - don't fail on non-ascii characters when validating URLs
- fix IDN hostnames not being converted properly
4 years ago
Andrew Dolgov ab6aa0ad3e fix previous re: resolve_redirects 4 years ago
Andrew Dolgov 74568df4ff remove a lot of stuff from global context (functions.php), add a few helper classes instead 4 years ago
Andrew Dolgov 3dd4169b5f clarify some URL validation-related error messages 4 years ago
Andrew Dolgov 4785f21316 update_rss_feed: log effective URL after fetching
validate_url: treat scheme as case-insensitive
4 years ago
Andrew Dolgov 05ef9aac2f update URL pointing to version.json 4 years ago
Andrew Dolgov 03a337a660 add basic safe mode which doesn't load any user plugins 4 years ago
Andrew Dolgov a4525d31b2 replace FALSE with false so that static analyzer shuts up about it 4 years ago
Andrew Dolgov afa0023c51 don't try to update manually disabled feeds even if they haven't been updated before or are marked for a manual update 4 years ago
Andrew Dolgov 37f41a5246 forgotpass: use type strict comparison for reset token 4 years ago
Andrew Dolgov e3adacc588 fix several cases of Db class being invoked as wrong name (as DB) 4 years ago
Andrew Dolgov 89d53a7f49 fix typo in previous 4 years ago
Andrew Dolgov 1f79d614c4 fix OTP QR code not displayed because of CSRF token passed as a query
parameter
use type-strict comparison when validating CSRF token on the backend
4 years ago
Andrew Dolgov 9d3c794983 subscribe: allow pre-filling feed URL if passed via query string 4 years ago
Andrew Dolgov 33fdde249e pass CSRF token to opml import and feed icon replace dialogs 4 years ago
Andrew Dolgov 42b5564d1e editarticletags: load dialog via XHR 4 years ago
Andrew Dolgov 0706a328a4 handler: default base csrf_ignore() to false 4 years ago
Andrew Dolgov 0a142912d3 backend handler: require CSRF, remove obsolete code 4 years ago
Andrew Dolgov 154417d80b public/logout: require valid CSRF token 4 years ago
Andrew Dolgov cbcb10a272 Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection 4 years ago
Andrew Dolgov 8080c525fd - backend: require CSRF token to be passed via POST
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
4 years ago
Andrew Dolgov e670ac2ee5 require CSRF token for Article/redirect 4 years ago
Andrew Dolgov 7e50c6c4b5 - enable CSRF support earlier
- remove rpc/sanityCheck from CSRF-excluded calls
4 years ago
Andrew Dolgov 79f102c25d af_proxy_http: never print received data directly, always redirect to cached_url
cache/getUrl: basename() passed filename just in case
4 years ago
Andrew Dolgov 4a074111b5 user preferences: forbid < and > characters when changing passwords (were silently stripped on save because of clean()) 4 years ago
Andrew Dolgov da98ba662e public/subscribe: require valid CSRF token when validating the form 4 years ago
Andrew Dolgov c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
4 years ago
Andrew Dolgov a922b3cc6d order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins to override built-in sorting 4 years ago
Andrew Dolgov 67f02e2aa7 properly return counters for labels with zero assigned articles
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766
4 years ago
Rodney Stromlund 88ced02622 Silence php 7.2 error message generated in `session_set_cookie_params`. 4 years ago
Andrew Dolgov ddf9227dc4 pluginhost: allow overriding default sort modes via HOOK_HEADLINES_CUSTOM_SORT_MAP etc 4 years ago
Andrew Dolgov dfa65e9374 move order_by to SQL override logic into a separate function 4 years ago
Andrew Dolgov 48be005774 instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp 4 years ago
Andrew Dolgov 05a47e5cf4 OPML: export/import per-feed purge interval 4 years ago
Paco Esteban c4ee0e25a1 more int/string type mismatches on getCategories 4 years ago
Paco Esteban 3da618e0ea make sure all ints are casted (to int) on getCategories 4 years ago
fox 68b78ecd3d Merge branch 'bugfix/invalid-opml' of wn/tt-rss into master 4 years ago
Andrew Dolgov b6372a846d when exporting OPML via web UI, add user login to the filename 4 years ago
Andrew Dolgov fa653f5a43 prefs: show disabled filters properly on mysql 4 years ago
Andrew Dolgov 2996a3942f prefs: show root of filter tree as enabled so it's not grayed out 4 years ago
wn_ 614d3ac1bf Properly check if OPML file was loaded during import. 4 years ago
Andrew Dolgov c352e872e9 core: pass found enclosures to HOOK_ARTICLE_FILTER
af_redditimgur: remove enclosures if we found something to embed because it's going to be a low-res thumbnail
4 years ago
Andrew Dolgov 6eb94f1e13 better support for image srcset attributes as discussed in https://community.tt-rss.org/t/problem-with-img-srcset/3519 5 years ago
Andrew Dolgov d01ad09800 eslint-related fixes; move a few things from global context to App 5 years ago
Andrew Dolgov c8cc845d5b when removing favicon, reset its auto-refresh timer 5 years ago
Andrew Dolgov 06d2c65193 calculate_article_hash: don't die() on previous, woops 5 years ago
Andrew Dolgov 3a142cbf58 calculate_article_hash: ignore some useless or read-only fields (i.e. GUID) when calculating hash 5 years ago
Andrew Dolgov cd1f3cb8cc * store UID in article hashed GUID separately so it could be migrated cleanly to a different instance
* store resulting GUID as a JSON object so it could be extended easier if needed
5 years ago
Andrew Dolgov 7a2e9bef77 add --opml-export to update.php 5 years ago
Andrew Dolgov c275a0cd33 DiskCache: append fake file extension when sending cached files based on mime type to make saving files easier 5 years ago
Andrew Dolgov 3a4b9249a9 DiskCache: properly deal with srcset attributes 5 years ago
Andrew Dolgov 4a00f96733 remove unneeded var_dump() 5 years ago
Andrew Dolgov 6573541873 * add HOOK_ENCLOSURE_IMPORTED
* pass feed id to HOOK_FEED_PARSED
5 years ago
Andrew Dolgov 44b1f0fcc0 search: add support for label:XXX search keyword
Labels: enforce case-insensitive lookups when creating/looking for labels
5 years ago
Andrew Dolgov 1f2a721905 allow overriding built-in templates via templates.local 5 years ago
lllusion3418 ec1b0befc7 add support for video[@src] in media cache
it's a valid alternative to a source[@src] child element:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/video
5 years ago
lllusion3418 cdde23b4dc actually download <video> posters to media cache
video[@poster] is already supported in the rewriting logic but never
actually downloaded
5 years ago
lllusion3418 b4287a2e98 fix url rewriting for videos with poster and src
if a poster attribute was present only that would have been rewritten
and the (arguably more important) src attribute would be left as-is
5 years ago
Andrew Dolgov 208e02c47d PluginHost/save_data: use separate PDO connection to prevent issues with nested transactions 5 years ago
Andrew Dolgov bcbc5ccc78 batchSubscribe: use validationtextarea 5 years ago
Andrew Dolgov f24ece85a6 add validationtextarea control, use it for filter match editor 5 years ago
Andrew Dolgov 8645f36c5b filter test dialog: pass contents via xhr POST 5 years ago
Andrew Dolgov bdb1e475e7 external subscribe dialog: support dark theme 5 years ago
Andrew Dolgov b2876f6c72 share anything dialog: support dark theme 5 years ago
Andrew Dolgov 4ab3854aed don't generate default.css, replace with themes/light.css as a default root CSS file 5 years ago
Andrew Dolgov 5f30061c92 properly calculate marked counters for feeds in nested categories 5 years ago
Andrew Dolgov 60288f02e8 1. feedtree: show counters for marked articles if view-mode == marked
2. hide/show relevant counter nodes using css
3. cleanup some counter-related code
4. compile default css into light theme to prevent cache-related issues
5 years ago
Andrew Dolgov 5b6d9cee29 prefs layout fixes:
1. prevent layout breakage when using an authenticator which doesn't allow changing passwords
2. show explanatory messages when OTP or password changing is not available
3. allow app (API) passwords when using any auth module
5 years ago
Andrew Dolgov 47135160d1 getCategoryCounters: properly handle categories which don't have any stored feeds/articles 5 years ago
Andrew Dolgov 88d4324e32 mark primary button in the default password dialog 5 years ago
Andrew Dolgov 776fe4768b default password warning: fix close button, don't crash if dialog is recreated (on feed tree reload etc) 5 years ago
Andrew Dolgov 0e9e1ad112 getCategoryUnread: return correct unread count for labels category 5 years ago
Andrew Dolgov cdd2b6fd22 getCategoryChildrenUnread: fix typo 5 years ago
Andrew Dolgov a6ced36189 getCategoryCounters: properly calculate counters for child subcategory entries
getCategoryUnread: cleanup
5 years ago
Andrew Dolgov a64b8a7fdb getCategoryUnread: don't return unread counters for Special category because it doesn't make a lot of sense to do so 5 years ago
Andrew Dolgov 2f6741e49a getFeedCounters: pass parameter correctly to PDO 5 years ago
Andrew Dolgov 6080cca9ca scrap counter cache system; rework counters to sum() booleans instead 5 years ago
Andrew Dolgov 3b29e865b0 support night mode in feed debugger 5 years ago
Andrew Dolgov aa56bcaf44 support night mode when using share by URL 5 years ago
Andrew Dolgov f47998f569 generate_syndicated_feed: use local media in generated feeds if it is available 5 years ago
Andrew Dolgov b1c5ebdace API/getVersion: don't try to use removed VERSION constant 5 years ago
Andrew Dolgov fdb1fc7608 get_version: fix commit/timestamp lost on subsequent invocations because of misbehaving caching 5 years ago
Andrew Dolgov 72d0fac80c remove version.php and VERSION global constant, do version-related things in a slightly less ridiculous way 5 years ago
Andrew Dolgov df464e3d0d update app password notice 5 years ago
Andrew Dolgov 9c0235ab66 show current unread counter on headlines toolbar if sidebar is hidden 5 years ago
Andrew Dolgov 76dd74e0d9 add a hidden tweakable which forbids changing passwords 5 years ago
Andrew Dolgov ac95ab4a65 user css dialog: allow saving and applying CSS without closing the dialog 5 years ago
Andrew Dolgov 565547f5a1 php 7.4 deprecation-related fixes 5 years ago
Andrew Dolgov f30287be65 versioning changes
- remove VERSION_STATIC - https://community.tt-rss.org/t/versioning-changes-for-trunk/2974
- report git commit/timestamp properly by invoking git instead of trying to parse .git/HEAD etc
- remove git-related global constants used when checking for updates
5 years ago
Andrew Dolgov d15f0349bf remove hardcoded iframe domain whitelist, make iframe script whitelisting configurable by plugins (HOOK_IFRAME_WHITELISTED) 5 years ago
Andrew Dolgov e5b7b145e5 cache media: set referrer to source URL when fetching images 5 years ago
Andrew Dolgov 304d3a0b88 tag-related fixes
1. move tag sanitization to feedparser common item class
2. enforce length limit on tags when parsing
3. support multiple tags passed via one dc:subject and other such elements, parse them as a comma-separated list
4. sort resulting tag list to prevent different order between feed updates
5. remove some duplicate code related to tag validation
6. allow + symbol in tags
5 years ago
Andrew Dolgov 8c3efd51ec reset domain hit quota on feed update start 5 years ago
Andrew Dolgov 63ce7ea705 add a plugin page warning for plugins using HOOK_FEED_FETCHED, etc 5 years ago
Andrew Dolgov 0d7b10469b update_rss_feed: add specific logging for HOOK_FETCH_FEED, HOOK_FEED_FETCHED, HOOK_FEED_PARSED handlers 5 years ago
Andrew Dolgov 5bb8dad631 is_gzipped: don't try to strpos() over entire buffer 5 years ago
Andrew Dolgov f75fb6bd75 Merge branch 'master' of git.fakecake.org:tt-rss 5 years ago
Andrew Dolgov 266a805bfe line endings + remove : from headings 5 years ago
Andrew Dolgov 05dffcff6f OTP stuff: update notice wording a bit 5 years ago
Andrew Dolgov 812a6c9f16 auth_internal: fix indents 5 years ago
Andrew Dolgov 249130e58d implement app password checking / management UI 5 years ago
Andrew Dolgov 68b0380118 add placeholder authentication via app passwords if service is passed
forbid logins via regular passwords for services
remove AUTH_DISABLE_OTP
5 years ago
Andrew Dolgov 88cd9e586e add placeholder UI plumbing for app passwords 5 years ago
Andrew Dolgov 904ecc31e2 allow using OTP without GD 5 years ago
Andrew Dolgov 647c7c45eb allow article filters to modify num_comments 5 years ago
Andrew Dolgov 2820f41a4b add notification for OTP being disabled 5 years ago
Andrew Dolgov ef514bc4bd add notifications for mail and password changes
update and shorten some other message templates
5 years ago
jc 8fd11fd53a Add const HOOK_FEED_TREE 5 years ago
jc a243979aaf Add const HOOK_FEED_TREE 5 years ago
Andrew Dolgov 4e05008aac update_rss_feed: force cast initial timestamp value to integer 5 years ago
Rodney Stromlund 958c4dc124 Removed extra php end tag that was showing in the page title 5 years ago
Andrew Dolgov b0d67cd3d0 rework previous to pass unformatted timestamp to plugin, and deal with formatting later
also, move timestamp-related debugging output after plugin handler
5 years ago
Andrew Dolgov 94a12b9674 pass formatted entry timestamp to article filters and allow them to modify it 5 years ago
Andrew Dolgov 06393750c7 headline grouping:
1. block grouping for specific feeds where it doesn't make a lot of sense to do so or flat list fits better (archived, recently read)
2. block per-week grouping for feeds where feed-first grouping makes more sense (fresh, starred, published)
5 years ago
Andrew Dolgov 12a542977e makefeedtree: properly calculate feed total amount in no-categories mode 5 years ago
Andrew Dolgov 667836ec7c SQL logger: log some parameters 5 years ago
Andrew Dolgov 3e4701116d af_readability: add missing file 5 years ago
Andrew Dolgov 865c54abcb fix get_method_url() to use correct method parameter 5 years ago
Andrew Dolgov 10c63ed582 pluginhost: add helper methods to get private/public pluginmethod endpoint URLs 5 years ago
Andrew Dolgov e46ed1ff97 API/getHeadlines: fix order of returned feeds to be consistent with main UI 5 years ago
Andrew Dolgov 0e3b71c535 public/pluginhandler: log invalid requests 5 years ago
Andrew Dolgov 7f8946f14e pluginhost: implement priority-based system for running hooks 5 years ago
Andrew Dolgov 5648b836aa HOOK_ARTICLE_IMAGE: allow hooks to modify article content 5 years ago
Andrew Dolgov 75ab1f05f9 DiskCache::rewriteUrls() - remove img[@srcset] 5 years ago
Andrew Dolgov 9d852e052c add HOOK_ARTICLE_IMAGE for Article::get_article_image() 5 years ago
Andrew Dolgov ffb842f752 Article::get_article_image() - provide cached URLs if possible 5 years ago
Andrew Dolgov 150b040dad Article::get_article_image() - set default to "" instead of "false" 5 years ago
Andrew Dolgov d4df57e1a4 Article::get_article_image() - also return stream URI if possible 5 years ago
Andrew Dolgov 68e2b05f65 * move get_article_image to Article; implement better og:image detection (similar to android app)
* pass article image to API clients in headlines row object
5 years ago
Andrew Dolgov c34726b2b2 consistency: use DiskCache->exists() to check for present files 5 years ago
Andrew Dolgov 6914ad1f74 retire MIN_CACHE_FILE_SIZE 5 years ago
Andrew Dolgov 84974c60a7 RSSUtils::cache_media, cache_enclosures: use DiskCache 5 years ago
Andrew Dolgov 39f459eb04 public/cached_url: forbid sending files with extensions 5 years ago
Andrew Dolgov 3c075bfd21 DiskCache: more strict checking for input filenames, getUrl() is no longer static 5 years ago
Andrew Dolgov fdb6066bf6 * HOOK_ENCLOSURE_ENTRY: pass article_id to handler
* DiskCache: multiple fixes; support isWritable() for cache entries, set content-disposition for send()
* public/cached_url: allow selecting files from sub-caches other than images
* plugins/Cache_Starred_Images: rework to use DiskCache, can be enabled per-user, properly handles article enclosures, etc
5 years ago
Andrew Dolgov bed695b127 DiskCache::expire: support .no-auto-expiry to prevent automatic cache maintenance 5 years ago
Andrew Dolgov 19b9b27662 expire_cached_files to DiskCache::expire() 5 years ago
Andrew Dolgov 133c2b482b move rewrite_cached_urls to DiskCache::rewriteUrls() 5 years ago
Andrew Dolgov b1dd38f880 add DiskCache.getUrl() and use it in a bunch of places 5 years ago
Andrew Dolgov 7602819b98 add DiskCache.send; switch af_zz_imgproxy to use DiskCache 5 years ago
Andrew Dolgov 82694bd6ce add DiskCache.isWritable 5 years ago
Andrew Dolgov 86308b30ea add classes/diskcache 5 years ago
Andrew Dolgov 6825aaff55 update SSL certificate wiki link 5 years ago
Andrew Dolgov aa40a268f0 parser: support multiple dc:creator elements (returns as comma-separated list) 5 years ago
Andrew Dolgov 4edfb526e1 change version.json endpoint URL 5 years ago
Andrew Dolgov e8523733b0 filter dialog: add inline regexp checker 5 years ago
Andrew Dolgov 86a014f23b add placeholder Filters.filterDlgCheckRegExp 5 years ago
Andrew Dolgov ea30061cce public: fix share() returning random unshared articles if uuid is not given 5 years ago