Commit Graph

14873 Commits

Author SHA1 Message Date
Evan Prodromou
3fc1d245a1 Merge 1.1.x into master 2013-07-16 10:57:06 -07:00
Joshua Wise
89ba820246 Escape argument to prevent SQL injection attack in
User::getTaggedSubscriptions()

This change escapes the $tag argument to prevent a SQL injection
attack in User::getTaggedSubscriptions(). The parameter was not
escaped higher up the stack, so this vulnerability could be exploited.
2013-07-16 10:47:29 -07:00
Joshua Wise
4a30da924a Escape argument to User::getTaggedSubscribers() to preven SQL injection
This change escapes the argument to User::getTaggedSubscribers() to
prevent SQL injection attacks.

Both code paths up the stack fail to escape this parameter, so this is
a potential SQL injection attack.
2013-07-16 10:43:56 -07:00
Joshua Wise
e54cb6958a Escape query parameters in Profile_tag::getTagged()
This patch escapes query parameters in Profile_tag::getTagged(). This
is an extra security step; since these parameters come out of the
database, it's unlikely that they would have dangerous data in them.
2013-07-16 10:35:44 -07:00
Joshua Wise
5b118b3781 Escape SQL parameter in Profile_tag::moveTag()
This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
2013-07-16 10:27:30 -07:00
Joshua Wise
c5a710e081 Escape $tag passed to Profile::getTaggedSubscribers()
This patch escapes the $tag parameter in
Profile::getTaggedSubscribers(). The parameter is not escaped either
in actions/subscriptions.php or in actions/apiuserfollowers.php. So
there is a potential for SQL injection here.
2013-07-16 10:14:38 -07:00
Joshua Wise
3fb2c06cba Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:11:26 -07:00
Joshua Wise
783e400d94 Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:09:16 -07:00
Evan Prodromou
540b90dbd9 Better verb comparison 2013-06-30 12:08:11 -04:00
Evan Prodromou
e502bba259 Slightly more robust group-membership conversion 2013-06-30 12:07:55 -04:00
Evan Prodromou
66f4a39105 Squashed commit of the following:
commit bd23a7da105d635414643dfcedd9c8f710d565b8
Author: Evan Prodromou <evan@e14n.com>
Date:   Sat Jun 29 07:49:03 2013 -0400

    Make the after flag work correctly

commit 5c5845a2f866f0bbffedd8e2e5d1f512f87d5329
Author: Evan Prodromou <evan@e14n.com>
Date:   Sat Jun 29 06:14:43 2013 -0400

    Add an 'after' flag for backup script
2013-06-29 07:52:09 -04:00
Evan Prodromou
4092ee1bd1 Squashed commit of the following:
commit bd23a7da105d635414643dfcedd9c8f710d565b8
Author: Evan Prodromou <evan@e14n.com>
Date:   Sat Jun 29 07:49:03 2013 -0400

    Make the after flag work correctly

commit 5c5845a2f866f0bbffedd8e2e5d1f512f87d5329
Author: Evan Prodromou <evan@e14n.com>
Date:   Sat Jun 29 06:14:43 2013 -0400

    Add an 'after' flag for backup script
2013-06-29 07:49:43 -04:00
Evan Prodromou
660b8f0c9c Merge branch '1.1.x' of gitorious.org:statusnet/mainline into 1.1.x 2013-06-25 22:27:23 -04:00
Evan Prodromou
37bbb96e1b Better output for shares 2013-06-25 22:27:02 -04:00
Evan Prodromou
557105b86d Better output for shares 2013-06-25 22:26:27 -04:00
Evan Prodromou
0a23946e6b Add messages, directed notices to sim 2013-06-17 20:16:49 -07:00
Evan Prodromou
fb3981bb04 Set the site profile on install 2013-06-17 20:16:31 -07:00
Evan Prodromou
faf4e7e535 Make favorites in createsim 2013-06-16 02:18:19 +00:00
Evan Prodromou
35ff643230 Turn off Activity by default 2013-06-16 02:16:40 +00:00
Jean Baptiste Favre
707dd44f6b Merge commit 'merge-requests/192' into statusnet_1.1.x 2013-06-15 20:11:24 +02:00
Jean Baptiste Favre
fcdd4d2cf0 Fix introduced bug, trying to shorten an empty status. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
58a2630933 Code cleaning. Do call shortenLinks only once, right before saving new notice. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
344a10be8b Code cleaning, remove 'TEST' tags. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
ec072e0af7 Notice update with media attachment may fail through API when status text + attachment length get higher than max notice length. Calling URL shortener can make global length less than maxlength, though allowing notice update. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
6d47fadf42 Fix introduced bug, trying to shorten an empty status. 2013-06-15 19:04:32 +02:00
Jean Baptiste Favre
54374365e9 Code cleaning. Do call shortenLinks only once, right before saving new notice. 2013-06-15 19:04:31 +02:00
Jean Baptiste Favre
f803b22752 Code cleaning, remove 'TEST' tags. 2013-06-15 19:04:31 +02:00
Jean Baptiste Favre
6387e0a90d Notice update with media attachment may fail through API when status text + attachment length get higher than max notice length. Calling URL shortener can make global length less than maxlength, though allowing notice update. 2013-06-15 19:04:31 +02:00
Jean Baptiste Favre
1b39f89b96 Add configuration check. Need 'server', 'port', 'user' and 'password' to be defined (not valid, just defined). 2013-06-15 18:59:17 +02:00
Jean Baptiste Favre
f175512748 Remove static definition of imdaemon.php as valid daemon. 2013-06-15 18:59:17 +02:00
Jean Baptiste Favre
b8a69d023b Add basic support for GetValidDaemon event. Shall be extended with configuration check. 2013-06-15 18:59:16 +02:00
Jean Baptiste Favre
93c8969a27 Remove alone 'groups' link on the left side. Useless I guess. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
d1e46e61ac Add same CSS rules for #remoteprofile than for #showstream. Allows to hide avatars, like for local profiles. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
5a0f17933b Display notices for remote profile. Would like to hide avatar like in local profile but did not found how to do it. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
d48076253b Fix error 'No matches for action subscriptions with arguments nickname...' when displaying remote profile. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
368906258a You need an API key when using embed.ly. Unfortunatly oembedhelper.php does not support it. This commit aims to fix it. 2013-06-15 18:35:41 +02:00
Jean Baptiste Favre
d36f443666 Bookmark plugin enhancement: display Bookmark's list. Integration of @chimo's work (http://http://sn.chromic.org/) from https://github.com/chimo/BookmarkList into official plugin. 2013-06-15 18:31:05 +02:00
Evan Prodromou
8cc4660bd9 Better ID for notice activity 2013-06-15 12:07:52 -04:00
Evan Prodromou
7a5bd495c5 Better ID for notice activity 2013-06-15 12:07:34 -04:00
Evan Prodromou
67f80e8503 Merge remote-tracking branch 'origin/master' 2013-06-15 11:13:57 -04:00
Jean Baptiste Favre
180cc39c4a Fix for #3649 issue. 2013-06-15 17:01:10 +02:00
Jean Baptiste Favre
b23a744fba Fix for #3649 issue. 2013-06-15 16:58:50 +02:00
Jean Baptiste Favre
246e840dd3 Fix INSTALLDIR constant definition. 2013-06-15 15:20:19 +02:00
Jean Baptiste Favre
359f3ca113 Fix for #3651: oAuth apps list does only show the latest registered application 2013-06-15 14:19:15 +02:00
Jean Baptiste Favre
4284f28dec Fix for #3651: oAuth apps list does only show the latest registered application 2013-06-15 14:09:46 +02:00
Jean Baptiste Favre
dfafab6c4f Fix for #3463. Make InfiniteScroll plugin use config['plugins']['server'] if defined to build ajax-loader.gif URL 2013-06-15 13:13:15 +02:00
Jean Baptiste Favre
b05130bfb8 Fix missing variable in InfiniteScrollPlugin class. Fix issue #3525 2013-06-15 13:12:19 +02:00
Jean Baptiste Favre
d211348dae Makes ClientSideShorten loading shorten.js from config['plugins']['server'] if setted. Fix #3528 2013-06-15 12:34:25 +02:00
Jean Baptiste Favre
80da81ba14 Get rid of t.co links for notice's text version. Usefull for client using API. Complements merge-request #205 by @mmn 2013-06-15 11:30:17 +02:00
Jean Baptiste Favre
108aa5c467 Replace t.co links with expanded one provided by Twitter. Can still be a shortened one & will be done only for HTML view, but still a start. Backport of merge_requests/205. 2013-06-15 11:29:09 +02:00