Commit Graph

684 Commits (f72e6947d5048c4af5fcfc7bb8da64435bd6246a)

Author SHA1 Message Date
Andrew Dolgov a817d3794d * use get_random_bytes() for CSRF token
* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
4 years ago
Andrew Dolgov 0757ad0406 auth_internal: use type-strict comparison when checking OTP code 4 years ago
Andrew Dolgov 91e1542a82 af_proxy_http: require separate token to access imgproxy 4 years ago
Andrew Dolgov 79f102c25d af_proxy_http: never print received data directly, always redirect to cached_url
cache/getUrl: basename() passed filename just in case
4 years ago
Andrew Dolgov 0758397dd8 af_redditimgur: don't add embedded blank gif image for rewritten videos 4 years ago
Andrew Dolgov c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
4 years ago
Andrew Dolgov c352e872e9 core: pass found enclosures to HOOK_ARTICLE_FILTER
af_redditimgur: remove enclosures if we found something to embed because it's going to be a low-res thumbnail
4 years ago
Nathan Warner f8d96543de Created hotkeys_force_top plugin
Renamed swap_jk to match new naming scheme.
5 years ago
Andrew Dolgov 9ae9302b6b implement keyboard-related changes discussed in https://community.tt-rss.org/t/changing-the-amount-of-scroll-by-arrow-key/3452/7 5 years ago
Andrew Dolgov 5e77d0062b use intersection observer to unpack visible articles, remove Headlines.unpackVisible() 5 years ago
Andrew Dolgov a802649d53 rename cdmScrollToId to cdmMoveToId
prevent smooth scrolling when going directly to an article
5 years ago
Andrew Dolgov 1f2a721905 allow overriding built-in templates via templates.local 5 years ago
Andrew Dolgov 4e74da590e af_readability: allow get full text button to work as a toggle; in cdm, scroll to article after embedding 5 years ago
Andrew Dolgov 96fa6e3002 af_comics: split contents of subscribe/basic_info/fetch hooks into appropriate per-comic filters 5 years ago
Andrew Dolgov ba7f7e72db af_comics: mention that Far Side needs cached media 5 years ago
Andrew Dolgov 61168847ac af_comics: escape all template urls 5 years ago
Andrew Dolgov 3b62150abd use canonical fetch url for Far Side 5 years ago
Andrew Dolgov db8a1f76c7 remove unnecessary debugging from previous 5 years ago
Andrew Dolgov 9b4053b1ea af_comics: add experimental support for The Far Side 5 years ago
Andrew Dolgov b159bbe55d af_readability: sanitize content requested for embedding 5 years ago
Andrew Dolgov 3b635c7557 fix plugins/note javascript part broken by previous changeset 5 years ago
Andrew Dolgov 71ff485fbf af_readability: add article button to embed content of a specific article 5 years ago
Andrew Dolgov 4ab3854aed don't generate default.css, replace with themes/light.css as a default root CSS file 5 years ago
koffieanon 3a3c74dfa4 Also match images with query string (size, tokens, etc). 5 years ago
koffieanon e89dd83f05 Spaces to tabs for consistency. 5 years ago
koffieanon 297a89c2d2 Fix bug processing found due to operator precedence. 5 years ago
Andrew Dolgov 72d0fac80c remove version.php and VERSION global constant, do version-related things in a slightly less ridiculous way 5 years ago
Andrew Dolgov 219840341c Af_Youtube_Embed: whitelist youtube iframes if enabled 5 years ago
Andrew Dolgov ffa3f9309f af_comics: support buni webtoon episodes 5 years ago
Andrew Dolgov f6090655bf 2fa: check TOTP based on previous secret values (oops of the year, 2019) 5 years ago
Andrew Dolgov 812a6c9f16 auth_internal: fix indents 5 years ago
Andrew Dolgov 249130e58d implement app password checking / management UI 5 years ago
Andrew Dolgov 68b0380118 add placeholder authentication via app passwords if service is passed
forbid logins via regular passwords for services
remove AUTH_DISABLE_OTP
5 years ago
Andrew Dolgov 178bcd4349 auth_internal: fix OTP seed checking 5 years ago
Andrew Dolgov ef514bc4bd add notifications for mail and password changes
update and shorten some other message templates
5 years ago
JustAMacUser 8459238f6c af_comics: Use a fixed time of day when generating fake feed for GoComics. Without this the timestamp is always updated to be the time the feed is fetched, which causes the comics to keep moving to the top/bottom of the article list depending on the sort order. (Using 11:00 a.m. UTC as that should keep the date the same across the majority of time zones.)
Try to get the actual title for GoComics comics.

Also a little code clean up.
5 years ago
Aleksandr Beliaev 7a4d5cc724 Fix error "mb_convert_encoding(): Illegal character encoding specified"
modified:   plugins/af_readability/init.php
5 years ago
Andrew Dolgov e887d68f21 af_readability: require php 7.0 5 years ago
Andrew Dolgov 3e4701116d af_readability: add missing file 5 years ago
Andrew Dolgov 10c63ed582 pluginhost: add helper methods to get private/public pluginmethod endpoint URLs 5 years ago
Andrew Dolgov bdf29856fb fix several leftover mentions of old (renamed) class name, duh 5 years ago
Andrew Dolgov de5669f723 af_zz_imgproxy: rename to af_proxy_http, use priority hook loader 5 years ago
Andrew Dolgov c34726b2b2 consistency: use DiskCache->exists() to check for present files 5 years ago
Andrew Dolgov 6914ad1f74 retire MIN_CACHE_FILE_SIZE 5 years ago
Andrew Dolgov d2f1cbfcb1 af_zz_imgproxy: redirect to cached_url (3!!) 5 years ago
Andrew Dolgov c6ae5fbda1 af_zz_imgproxy: redirect to cached_url if cache already exists so that urls are a bit shorter (2) 5 years ago
Andrew Dolgov e7edaca4db af_zz_imgproxy: redirect to cached_url if cache already exists so that urls are a bit shorter 5 years ago
Andrew Dolgov 3c075bfd21 DiskCache: more strict checking for input filenames, getUrl() is no longer static 5 years ago
Andrew Dolgov fdb6066bf6 * HOOK_ENCLOSURE_ENTRY: pass article_id to handler
* DiskCache: multiple fixes; support isWritable() for cache entries, set content-disposition for send()
* public/cached_url: allow selecting files from sub-caches other than images
* plugins/Cache_Starred_Images: rework to use DiskCache, can be enabled per-user, properly handles article enclosures, etc
5 years ago
Andrew Dolgov 7602819b98 add DiskCache.send; switch af_zz_imgproxy to use DiskCache 5 years ago