public/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/git/tt-rss.git synced 2025-12-27 15:41:28 +00:00
Code Issues Releases Wiki Activity
10,028 Commits 21 Branches 0 Tags
05744bb474e55c4f85acd236dd2883679c278e70
Commit Graph

1614 Commits

Author SHA1 Message Date
Andrew Dolgov
05744bb474 fix updater never scheduling feeds for update if they never been updated before while having default update interval set 2020-09-22 20:33:51 +03:00
Andrew Dolgov
8fb2baecdc another hack for validation of URLs with invalid characters 2020-09-22 19:56:26 +03:00
Andrew Dolgov
a897c4165b validate URLs: convert IDN to punycode before passing URL to filter_var() 2020-09-22 15:32:22 +03:00
Andrew Dolgov
6811d0bde2 use self:: in some places to invoke static methods from the same class 2020-09-22 14:54:15 +03:00
Andrew Dolgov
b5710baf34 - don't fail on non-ascii characters when validating URLs 
- fix IDN hostnames not being converted properly
 2020-09-22 14:37:45 +03:00
Andrew Dolgov
ab6aa0ad3e fix previous re: resolve_redirects 2020-09-22 09:18:24 +03:00
Andrew Dolgov
74568df4ff remove a lot of stuff from global context (functions.php), add a few helper classes instead 2020-09-22 09:04:33 +03:00
Andrew Dolgov
3dd4169b5f clarify some URL validation-related error messages 2020-09-21 20:35:24 +03:00
Andrew Dolgov
4785f21316 update_rss_feed: log effective URL after fetching 
validate_url: treat scheme as case-insensitive
 2020-09-21 20:26:57 +03:00
Andrew Dolgov
05ef9aac2f update URL pointing to version.json 2020-09-19 07:33:59 +03:00
Andrew Dolgov
03a337a660 add basic safe mode which doesn't load any user plugins 2020-09-18 15:48:22 +03:00
Andrew Dolgov
a4525d31b2 replace FALSE with false so that static analyzer shuts up about it 2020-09-17 19:02:27 +03:00
Andrew Dolgov
afa0023c51 don't try to update manually disabled feeds even if they haven't been updated before or are marked for a manual update 2020-09-17 15:40:50 +03:00
Andrew Dolgov
37f41a5246 forgotpass: use type strict comparison for reset token 2020-09-17 11:49:27 +03:00
Andrew Dolgov
e3adacc588 fix several cases of Db class being invoked as wrong name (as DB) 2020-09-17 09:18:03 +03:00
Andrew Dolgov
89d53a7f49 fix typo in previous 2020-09-17 08:45:17 +03:00
Andrew Dolgov
1f79d614c4 fix OTP QR code not displayed because of CSRF token passed as a query 
parameter
use type-strict comparison when validating CSRF token on the backend
 2020-09-17 08:43:39 +03:00
Andrew Dolgov
9d3c794983 subscribe: allow pre-filling feed URL if passed via query string 2020-09-16 17:20:31 +03:00
Andrew Dolgov
33fdde249e pass CSRF token to opml import and feed icon replace dialogs 2020-09-16 06:43:55 +03:00
Andrew Dolgov
42b5564d1e editarticletags: load dialog via XHR 2020-09-15 18:47:19 +03:00
Andrew Dolgov
0706a328a4 handler: default base csrf_ignore() to false 2020-09-15 18:16:33 +03:00
Andrew Dolgov
0a142912d3 backend handler: require CSRF, remove obsolete code 2020-09-15 18:08:08 +03:00
Andrew Dolgov
154417d80b public/logout: require valid CSRF token 2020-09-15 16:59:11 +03:00
Andrew Dolgov
cbcb10a272 Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF protection 2020-09-15 16:28:09 +03:00
Andrew Dolgov
8080c525fd - backend: require CSRF token to be passed via POST 
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
 2020-09-15 16:12:53 +03:00
Andrew Dolgov
e670ac2ee5 require CSRF token for Article/redirect 2020-09-15 15:35:50 +03:00
Andrew Dolgov
7e50c6c4b5 - enable CSRF support earlier 
- remove rpc/sanityCheck from CSRF-excluded calls
 2020-09-15 15:32:17 +03:00
Andrew Dolgov
79f102c25d af_proxy_http: never print received data directly, always redirect to cached_url 
cache/getUrl: basename() passed filename just in case
 2020-09-15 08:02:28 +03:00
Andrew Dolgov
4a074111b5 user preferences: forbid < and > characters when changing passwords (were silently stripped on save because of clean()) 2020-09-14 20:53:00 +03:00
Andrew Dolgov
da98ba662e public/subscribe: require valid CSRF token when validating the form 2020-09-14 20:21:22 +03:00
Andrew Dolgov
c3d14e1fa5 - fix multiple vulnerabilities in af_proxy_http 
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
 2020-09-14 19:46:52 +03:00
Andrew Dolgov
a922b3cc6d order_to_override_query: allow HOOK_HEADLINES_CUSTOM_SORT_OVERRIDE plugins to override built-in sorting 2020-09-11 07:48:22 +03:00
Andrew Dolgov
67f02e2aa7 properly return counters for labels with zero assigned articles 
refs https://community.tt-rss.org/t/label-counter-doesnt-update-when-count-goes-down-to-zero/3766
 2020-08-29 08:41:52 +03:00
Rodney Stromlund
88ced02622 Silence php 7.2 error message generated in session_set_cookie_params. 2020-08-14 10:47:46 -05:00
Andrew Dolgov
ddf9227dc4 pluginhost: allow overriding default sort modes via HOOK_HEADLINES_CUSTOM_SORT_MAP etc 2020-08-13 12:23:27 +03:00
Andrew Dolgov
dfa65e9374 move order_by to SQL override logic into a separate function 2020-08-13 11:52:32 +03:00
Andrew Dolgov
48be005774 instead of taking batch timestamp and score (?) into account, make oldest first sorting work consistently with newest first - i.e. rely on feed-provided timestamp 2020-08-11 13:29:09 +03:00
Andrew Dolgov
05a47e5cf4 OPML: export/import per-feed purge interval 2020-08-10 11:57:39 +03:00
Paco Esteban
c4ee0e25a1 more int/string type mismatches on getCategories 2020-08-01 16:30:10 +02:00
Paco Esteban
3da618e0ea make sure all ints are casted (to int) on getCategories 2020-07-31 16:15:16 +02:00
fox
68b78ecd3d Merge branch 'bugfix/invalid-opml' of wn/tt-rss into master 2020-07-01 14:48:02 +00:00
Andrew Dolgov
b6372a846d when exporting OPML via web UI, add user login to the filename 2020-07-01 10:02:24 +03:00
Andrew Dolgov
fa653f5a43 prefs: show disabled filters properly on mysql 2020-07-01 09:49:53 +03:00
Andrew Dolgov
2996a3942f prefs: show root of filter tree as enabled so it's not grayed out 2020-07-01 09:48:27 +03:00
wn_
614d3ac1bf Properly check if OPML file was loaded during import. 2020-06-27 15:06:08 -05:00
Andrew Dolgov
c352e872e9 core: pass found enclosures to HOOK_ARTICLE_FILTER 
af_redditimgur: remove enclosures if we found something to embed because it's going to be a low-res thumbnail
 2020-06-24 22:54:14 +03:00
Andrew Dolgov
6eb94f1e13 better support for image srcset attributes as discussed in https://community.tt-rss.org/t/problem-with-img-srcset/3519 2020-06-15 11:58:59 +03:00
Andrew Dolgov
d01ad09800 eslint-related fixes; move a few things from global context to App 2020-06-05 07:44:57 +03:00
Andrew Dolgov
c8cc845d5b when removing favicon, reset its auto-refresh timer 2020-05-22 15:06:52 +03:00
Andrew Dolgov
06d2c65193 calculate_article_hash: don't die() on previous, woops 2020-05-17 17:44:32 +03:00