Commit Graph

9 Commits (c0d1a6f85fd16f40798fd37e998d65fce05c29e5)

Author SHA1 Message Date
JustAMacUser 65b3926ae5 Ensure proxy_all setting is saved in database. 4 years ago
Andrew Dolgov 74568df4ff remove a lot of stuff from global context (functions.php), add a few helper classes instead 4 years ago
Andrew Dolgov a817d3794d * use get_random_bytes() for CSRF token
* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
4 years ago
Andrew Dolgov 91e1542a82 af_proxy_http: require separate token to access imgproxy 4 years ago
Andrew Dolgov 79f102c25d af_proxy_http: never print received data directly, always redirect to cached_url
cache/getUrl: basename() passed filename just in case
4 years ago
Andrew Dolgov c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
4 years ago
Andrew Dolgov 10c63ed582 pluginhost: add helper methods to get private/public pluginmethod endpoint URLs 5 years ago
Andrew Dolgov bdf29856fb fix several leftover mentions of old (renamed) class name, duh 5 years ago
Andrew Dolgov de5669f723 af_zz_imgproxy: rename to af_proxy_http, use priority hook loader 5 years ago