Commit Graph

1744 Commits

Author SHA1 Message Date
Evan Prodromou
3fc1d245a1 Merge 1.1.x into master 2013-07-16 10:57:06 -07:00
Joshua Wise
89ba820246 Escape argument to prevent SQL injection attack in
User::getTaggedSubscriptions()

This change escapes the $tag argument to prevent a SQL injection
attack in User::getTaggedSubscriptions(). The parameter was not
escaped higher up the stack, so this vulnerability could be exploited.
2013-07-16 10:47:29 -07:00
Joshua Wise
4a30da924a Escape argument to User::getTaggedSubscribers() to preven SQL injection
This change escapes the argument to User::getTaggedSubscribers() to
prevent SQL injection attacks.

Both code paths up the stack fail to escape this parameter, so this is
a potential SQL injection attack.
2013-07-16 10:43:56 -07:00
Joshua Wise
e54cb6958a Escape query parameters in Profile_tag::getTagged()
This patch escapes query parameters in Profile_tag::getTagged(). This
is an extra security step; since these parameters come out of the
database, it's unlikely that they would have dangerous data in them.
2013-07-16 10:35:44 -07:00
Joshua Wise
5b118b3781 Escape SQL parameter in Profile_tag::moveTag()
This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
2013-07-16 10:27:30 -07:00
Joshua Wise
c5a710e081 Escape $tag passed to Profile::getTaggedSubscribers()
This patch escapes the $tag parameter in
Profile::getTaggedSubscribers(). The parameter is not escaped either
in actions/subscriptions.php or in actions/apiuserfollowers.php. So
there is a potential for SQL injection here.
2013-07-16 10:14:38 -07:00
Joshua Wise
3fb2c06cba Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:11:26 -07:00
Joshua Wise
783e400d94 Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:09:16 -07:00
Evan Prodromou
e502bba259 Slightly more robust group-membership conversion 2013-06-30 12:07:55 -04:00
Evan Prodromou
8cc4660bd9 Better ID for notice activity 2013-06-15 12:07:52 -04:00
Evan Prodromou
7a5bd495c5 Better ID for notice activity 2013-06-15 12:07:34 -04:00
Evan Prodromou
bb0cf686df Pass null to Profile::profileInfo() 2013-06-08 21:12:29 -04:00
Evan Prodromou
806f7d439a Bad variable in Message::asActivity() 2013-06-08 21:07:51 -04:00
Evan Prodromou
f189d0b438 Bad variable in Message::asActivity() 2013-06-08 21:04:51 -04:00
Evan Prodromou
96d7b68c50 Store direct messages as an activity 2013-06-08 17:54:27 -04:00
Evan Prodromou
9fd2c3e1c9 Store direct messages as an activity 2013-06-08 17:45:49 -04:00
Evan Prodromou
14a111189d Merge remote-tracking branch 'origin/master' 2013-06-08 14:57:20 -04:00
Evan Prodromou
2252a9ffaf Throw exception if subscription is invalid 2013-06-08 14:56:57 -04:00
Evan Prodromou
08eca420ca Add generator to JSON output 2013-06-07 11:35:06 -04:00
Evan Prodromou
fe2c0a9687 Add generator to JSON output 2013-06-07 11:34:54 -04:00
Evan Prodromou
25823f6e5b Some better context for notices as arrays 2013-06-07 03:11:33 -04:00
Evan Prodromou
6164940e8c Some better context for notices as arrays 2013-06-07 03:11:23 -04:00
Evan Prodromou
7229533b0f Use real attachments for JSON output 2013-06-05 09:39:43 -04:00
Evan Prodromou
772383e84b Use real attachments for JSON output 2013-06-05 09:39:13 -04:00
Evan Prodromou
15d466ebe6 Don't add content as title for notes 2013-06-04 19:53:07 -04:00
Evan Prodromou
736bc9cc96 Don't add content as title for notes 2013-06-04 19:52:38 -04:00
Evan Prodromou
b493f3839c Use better type, title for service 2013-06-04 16:31:17 -04:00
Evan Prodromou
08c72a00e8 Use better type, title for service 2013-06-04 16:30:40 -04:00
Evan Prodromou
04f6e4ce7b Better registrationActivity 2013-06-04 15:21:33 -04:00
Evan Prodromou
d81b257290 Better registrationActivity 2013-06-04 15:20:00 -04:00
Evan Prodromou
fa1a1851db Add an ID to registered service 2013-06-03 09:11:29 -04:00
Evan Prodromou
9f94ed81ee Add an ID to registered service 2013-06-03 08:55:00 -04:00
Evan Prodromou
7ad5ed1db9 Merge branch 'master' of gitorious.org:statusnet/mainline 2013-06-02 15:24:57 -04:00
Evan Prodromou
49d265faa0 Add a registration activity to the end of every backup 2013-06-02 14:41:41 -04:00
Evan Prodromou
cbb5586ab7 Add a registration activity to the end of every backup 2013-06-02 14:38:00 -04:00
Evan Prodromou
ea8151688e Throw an exception converting fave to activity for non-existent notice or profile 2013-05-24 09:27:21 -04:00
Evan Prodromou
b359854150 Throw an exception converting fave to activity for non-existent notice or profile 2013-05-24 09:26:58 -04:00
Evan Prodromou
c5ef1e661e By default Notice::asActivity has a null argument 2013-04-14 12:02:52 -04:00
Evan Prodromou
6f424eb80f If there's an exception in notice distribution, continue 2012-11-25 10:39:49 -05:00
Evan Prodromou
1c3c269ab4 cache key for member_ids 2012-07-04 14:39:26 -04:00
Evan Prodromou
69fb79caae Cache IDs rather than profile objects 2012-07-04 14:38:06 -04:00
Evan Prodromou
642b1044cc Better user group member queries 2012-07-04 14:12:11 -04:00
Evan Prodromou
acf52a3041 Hide stuff if there's an exception getting the profile 2012-05-04 23:37:12 -04:00
Evan Prodromou
5f2b62927c let author see own spam 2012-04-23 21:25:53 -04:00
Evan Prodromou
4746016dd5 Don't convert deleted notices into repeats in Notice::asActivity() 2012-04-23 19:15:12 -04:00
Evan Prodromou
04ad0838be Add spam-training, spam-reviewing rights
Replaced the check for a moderator role in certain spam-training and
-reviewing points. Make sure modhelpers can check, too.
2012-03-25 13:18:16 -04:00
Evan Prodromou
3e46a9b164 Make blocks work for non-subscription deliveries 2012-03-23 12:55:51 -04:00
Evan Prodromou
3b09465fc4 flush anonymous scope when a profile is silenced 2012-03-22 11:37:59 -04:00
Evan Prodromou
d98a4be24e Merge branch '1.0.x' 2012-03-21 16:40:51 -04:00
Evan Prodromou
1c625bd040 show correct conversation notice count 2012-03-21 16:40:42 -04:00