Commit Graph

5771 Commits

Author SHA1 Message Date
Mikael Nordfeldth
747c91210f HTMLPurifier cache settings, put stuff in subdir of get_sys_temp_dir() 2016-02-28 13:30:47 +01:00
Mikael Nordfeldth
cd978fa153 Edited the list of allowed rel values 2016-02-28 13:16:52 +01:00
Mikael Nordfeldth
52a3764ae4 Resolve relative URLs (assuming URI.Base==notice URL)
The real way to do this would be to get the xml:base property from
the Atom feed but it's probably not there in any posts we see today.
2016-02-26 14:46:26 +01:00
Mikael Nordfeldth
29662eef5e Mentioning matches (@this too) now. 2016-02-26 00:08:51 +01:00
Mikael Nordfeldth
2669c51265 Allow sgf files if they're recognized in mime search
They are Go game files used on lamatriz.org. Note that my server
doesn't actually recognize these files and can identify the mime type,
but my browser did for some reason.
2016-02-26 00:05:07 +01:00
Mikael Nordfeldth
e6e1705852 Make uploads work properly if we accept _all_ attachment types
Also introduced $config['attachments']['extblacklist'] that can disable
certain file extensions (or rewrite them, for example php => phps)
2016-02-25 22:15:54 +01:00
Mikael Nordfeldth
128a00c4ab Include feeds in Link HTTP headers, for easier discovery 2016-02-24 16:48:44 +01:00
Mikael Nordfeldth
b59dacb806 getAliases for Profile and Notice
Also move fancyurlfix into site-wide $config['fix']['fancyurls']

TODO: getByUri should make use of this directly I guess?
2016-02-23 14:00:59 +01:00
Mikael Nordfeldth
5f7032dfee Verify that authenticated API calls are made from our domain name.
Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json" or
whatever. XHR is already blocked with CORS stuff.

Really, why do browsers allow cross domain POSTs at all? Sigh. The web.
2016-02-22 15:19:10 +01:00
Mikael Nordfeldth
ce803f6d06 WebFinger aliases with 'index.php/' 2016-02-21 20:00:07 +01:00
Mikael Nordfeldth
893d117309 throw new, not just throw 2016-02-21 19:01:37 +01:00
Mikael Nordfeldth
23e66bef64 common_fake_local_fancy_url to remove index.php/ from a local URL 2016-02-21 18:48:18 +01:00
Mikael Nordfeldth
afbdcf8938 Don't publish mbox_sha1sum in FOAF by default.
We say the email is private data, so reasonably we shouldn't reveal it
indirectly through a hash sum: http://xmlns.com/foaf/spec/#term_mbox_sha1sum
2016-02-19 00:10:05 +01:00
Mikael Nordfeldth
a838c90951 Only show "public:site" in ToSelector if notice/allowprivate is true 2016-02-18 00:33:16 +01:00
Mikael Nordfeldth
f68d1ade3f Put "Everyone" and "Everyone at [local instance]" at the top of ToSelector 2016-02-18 00:32:09 +01:00
Mikael Nordfeldth
543d968b81 NoAcctUriException->profile not $e directly 2016-02-18 00:13:59 +01:00
Mikael Nordfeldth
a361fdbd77 Sort ToSelector by AcctUri 2016-02-18 00:05:09 +01:00
Mikael Nordfeldth
73dbc5ca1b Use ToSelector choice again. 2016-02-17 23:44:15 +01:00
Mikael Nordfeldth
d2c11925bf To-selector padlock only shown if site config notice/allowprivate is true 2016-02-17 23:06:11 +01:00
Mikael Nordfeldth
5fbb01130a By default, disallow users to set private_stream 2016-02-17 22:58:31 +01:00
Mikael Nordfeldth
d2507a6266 Gotta declare FullNoticeStream as abstract class 2016-02-16 02:24:38 +01:00
Mikael Nordfeldth
46829c6d3c FullNoticeStream selects all verbs. 2016-02-16 02:21:39 +01:00
Mikael Nordfeldth
2d1b70c94d created column was ambigououuuouuus 2016-02-15 09:59:34 +01:00
Mikael Nordfeldth
2301862ae6 We only want POST and SHARE in the inbox/home timeline right? 2016-02-15 09:59:18 +01:00
Mikael Nordfeldth
dcb7ce36d8 Show shares in public timeline
Also, the unselect rule for DELETE was useless anyway since it would
already have been filtered out by not having true.

(the => false stuff are for when you want ALL _except_ that)
2016-02-14 20:53:26 +01:00
Mikael Nordfeldth
e2a090c9cc Use NoticeStream::filterVerbs for filtering in noticestreams 2016-02-14 20:46:13 +01:00
Mikael Nordfeldth
be14e15dac Hide attachments in notices by silenced profiles 2016-02-13 13:17:39 +01:00
Mikael Nordfeldth
e5ad98e601 Silence action can only be used on non-priviliged users 2016-02-12 14:22:25 +01:00
Mikael Nordfeldth
f10625f8bc file and avatar dirs on instances with no such dirs in filesystem 2016-02-12 02:29:33 +01:00
Mikael Nordfeldth
338df7e35b Fix Nickname::isSystemPath() work properly for routes 2016-02-12 02:21:11 +01:00
Mikael Nordfeldth
67dfc0a046 application/xml allowed in uploads 2016-02-11 00:04:14 +01:00
Mikael Nordfeldth
733debd9b3 Use thumbnail upscaling config value 2016-02-10 04:40:54 +01:00
Mikael Nordfeldth
8806cce735 Default to avoid upscaling of thumbnails. 45x45=>450x450 is ugly 2016-02-10 04:40:10 +01:00
Mikael Nordfeldth
a61235086b Use config site/sslproxy to force HTTPS (i.e. using reverse proxy to enable it)
Usage in config.php: $config['site']['sslproxy'] = true;

Add this to documentation...
2016-02-10 01:05:02 +01:00
Mikael Nordfeldth
ec257d940a Either use or don't use HTTPS
The risk of injection attacks using HTTP is too great to allow a
site that allows both HTTP and HTTPS...
2016-02-10 00:57:39 +01:00
Mikael Nordfeldth
dcf29c2a07 s/isHTTPS/useHTTPS/ for HTTPS URL generation 2016-02-10 00:38:14 +01:00
Mikael Nordfeldth
cd71188d3a SimpleCaptcha plugin to stop basic bots 2016-02-08 17:47:09 +01:00
Mikael Nordfeldth
d98784e059 Use functions instead of accessing properties in twitterUserArray 2016-02-08 12:21:58 +01:00
Mikael Nordfeldth
2938b3e960 Don't return true on requiresAuth if screen_name==='0' 2016-02-08 12:14:35 +01:00
Mikael Nordfeldth
13cf744fb3 Allow screennames that are === '0' 2016-02-08 11:40:46 +01:00
Mikael Nordfeldth
2686635f60 Keep the rel="tag" in HTML when purifying 2016-02-07 12:50:26 +01:00
Mikael Nordfeldth
d6664f5735 Hidespam by default
...why would something described as "Whether to hide silenced users from timelines"
be set to false by default? :)
2016-02-07 02:33:53 +01:00
Mikael Nordfeldth
098c8b1df4 NoHttpResponseException extends HTTP_Request2_ConnectionException 2016-02-07 01:52:20 +01:00
Mikael Nordfeldth
60804d1902 ES3 compatibility layer not necessary (noone uses IE8 etc.)
All browsers with javascript support also support ES5 nowadays. Anyone
using older software should upgrade for other reasons, such as security.
2016-02-04 11:37:24 +01:00
Mikael Nordfeldth
d5ecbd05a1 Forgot a break in a switch when rendering attachments. 2016-02-03 19:32:51 +01:00
Mikael Nordfeldth
9960714896 Disallow zero-length magnet URIs
magnet: would match, but now we have a zero-length lookahead which
requires the following character to be a question mark: magnet:?
2016-02-03 15:26:19 +01:00
Mikael Nordfeldth
90045d66ea HTMLPurifierSchemes plugin to allow geo and magnet URIs 2016-02-03 14:36:51 +01:00
Mikael Nordfeldth
349dba8be0 Only allow our specified URI schemes 2016-02-03 14:31:16 +01:00
Mikael Nordfeldth
e903bd0bc3 Hacky support for geo URI detection
Won't work with common_purify yet because there is no geo uri scheme for it
2016-02-03 14:19:08 +01:00
Mikael Nordfeldth
b1ed1f48ea Configurable linkify for bare IPv4/IPv6 2016-02-03 12:55:00 +01:00
Mikael Nordfeldth
84930f89f9 Don't allow account backups by default. 2016-02-03 01:08:36 +01:00
Mikael Nordfeldth
19b743a9f5 Set time limit to increase time backupaccount can take
Wills till run out of memory probably, we should fix that.
2016-02-03 01:04:14 +01:00
Mikael Nordfeldth
9fcfb7cb1d Proper error message on too much POST data 2016-02-03 01:03:58 +01:00
Mikael Nordfeldth
a2b914ce60 Get URL schemes by URL type 2016-02-03 00:18:37 +01:00
Mikael Nordfeldth
43abfe659b Bump beta number to 4
We have better webfinger @mention@capability.example at least and
OpportunisticQM is somewhat refined.
2016-01-30 00:04:18 +01:00
Mikael Nordfeldth
367fc054dc Merge branch 'master' into mmn_fixes 2016-01-30 00:03:25 +01:00
Mikael Nordfeldth
36f099958c Don't match @nickname on @nickname@server.com 2016-01-29 15:53:58 +01:00
Mikael Nordfeldth
cb40f72c7e Use the profile URI when linking instead of URL
since we'll then get to /user/$id instead of /$nickname which is
good for future archives if someone changes their nickname...
2016-01-29 15:21:01 +01:00
Mikael Nordfeldth
6b31feb70f Strict Standards: Declaration of MysqlSchema::get()
should be compatible with Schema::get($conn = NULL)
2016-01-28 20:18:06 +01:00
Mikael Nordfeldth
7e6783bb8f Replace htmLawed with HTMLPurifier 2016-01-28 19:01:13 +01:00
Mikael Nordfeldth
34093388a7 Merge branch 'nightly' of git.gnu.io:gnu/gnu-social into mmn_fixes 2016-01-27 22:43:37 +01:00
mmn
52778e1882 Merge branch 'json_encode_fail_branch' into 'nightly'
output error if json_encode fails



See merge request !86
2016-01-26 21:16:24 +00:00
mmn
42545c6625 Merge branch 'mention_branch' into 'nightly'
correct mentions if parent mentions multiple users with same nickname (don't use first one for all)



See merge request !82
2016-01-26 21:15:25 +00:00
Mikael Nordfeldth
a48055a3cc Merge branch 'nightly' of git.gnu.io:gnu/gnu-social into mmn_fixes 2016-01-25 20:22:16 +01:00
hannes
e447964639 remove my ugly debug info 2016-01-25 19:10:35 +00:00
hannes
b1b6a0a69c config['follow_redirects'] is the extlib's config! if max_redirs is set we want to do our own redirection following in this function 2016-01-25 19:03:26 +00:00
Mikael Nordfeldth
b15434375c Show plain text files on attachment page. 2016-01-25 16:54:40 +01:00
Mikael Nordfeldth
a9d18a077e Harmonize, clarify, categorize URL schemes
Regular expression + avoid-redirection list now match each other.
2016-01-24 12:47:31 +01:00
Mikael Nordfeldth
1cec627d72 Allow bitcoin scheme to URLs 2016-01-24 12:44:28 +01:00
hannes
4e50717e12 output error if json_encode fails 2016-01-23 15:01:27 +00:00
Mikael Nordfeldth
89dd44bf3e default connect_timeout to 5 instead of extlib 10 2016-01-22 12:20:03 +01:00
Mikael Nordfeldth
3f9c1c142a Removing unnecessary debug messages etc. 2016-01-21 02:49:34 +01:00
Mikael Nordfeldth
45446f17ad Only set selectVerbs if it's not set in class var 2016-01-21 02:37:38 +01:00
Mikael Nordfeldth
d3a4a2225f We want the profile stream to be as raw as possible! 2016-01-21 02:33:43 +01:00
Mikael Nordfeldth
f74d2d555c Working on some RSVP code stuff 2016-01-21 02:10:34 +01:00
Mikael Nordfeldth
5999171c11 Throw NoObjectTypeException on Notice->getObjectType if no string 2016-01-20 21:37:14 +01:00
Mikael Nordfeldth
21cc737f5c Cancelling RSVPs now seems to work. 2016-01-20 16:10:10 +01:00
hannes
de047f9727 correct mentions if parent mention multiple users with same nickname (don't use first one for all) 2016-01-19 13:41:25 +00:00
Mikael Nordfeldth
15d12b209d Don't include delete verbs in profile notice stream. 2016-01-18 22:04:42 +01:00
Mikael Nordfeldth
f768de4b46 default connect_timeout to 5 instead of extlib 10 2016-01-18 22:01:45 +01:00
Mikael Nordfeldth
cae344b67b Events are now saved but not displayed properly again 2016-01-18 20:57:44 +01:00
Mikael Nordfeldth
bdc38a7204 Initial user doesn't need as strict checking on email 2016-01-17 00:39:49 +01:00
Mikael Nordfeldth
deda83fdef Distinguish notice saving errors from others for Salmon 2016-01-16 22:39:04 +01:00
Mikael Nordfeldth
4678546d33 We want exceptions to be noticable in activityhandlerplugin 2016-01-16 21:19:34 +01:00
Mikael Nordfeldth
3019f8f23f dbqueuemanager logic 2016-01-16 21:05:34 +01:00
Mikael Nordfeldth
f53ebdeadb Start handling salmon entries directly with Notice::saveActivity
More to come...
2016-01-16 17:25:29 +01:00
Mikael Nordfeldth
1f76c1e4a9 Initial user doesn't need as strict checking on email 2016-01-16 17:23:50 +01:00
mmn
44c10bb2aa Merge branch 'oembed_branch' into 'nightly'
purify oembed html and don't allow cdata

hopefully we never need stuff in cdata

reason for this is that this link serves javascript in its oembed data: https://www.maketecheasier.com/switch-windows-10-to-linux/

see:
https://www.maketecheasier.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.maketecheasier.com%2Fswitch-windows-10-to-linux%2F

i don't feel we want that in our database.  

See merge request !79
2016-01-15 13:11:35 +00:00
Mikael Nordfeldth
16088d9439 ErrorAction and InfoAction fixes, are now ManagedAction 2016-01-14 21:28:47 +01:00
Mikael Nordfeldth
bc0a903bd4 ErrorAction to autodiscoverable file. 2016-01-14 21:21:34 +01:00
Mikael Nordfeldth
b530d385bc Exception object was not supplied there 2016-01-14 18:51:46 +01:00
Mikael Nordfeldth
0caf0612d0 Make Twitter Media upload API v1.1 reach us
Now we just have to accept the 'media' or 'media_data' (base64 encoded)
POST arguments instead of $_FILES uploads.
2016-01-14 18:29:21 +01:00
Mikael Nordfeldth
6e49281adb Use the Action class itself as error handler 2016-01-14 18:21:11 +01:00
Mikael Nordfeldth
c173c4faa5 Actually throw NoQueueHandlerException too. 2016-01-14 13:48:33 +01:00
Mikael Nordfeldth
df00a88cb4 Forgot to add NoRouteMapException to 6834f355f2 2016-01-14 13:07:00 +01:00
Mikael Nordfeldth
6834f355f2 Making ClientExceptions turn into ClientErrorAction
Got some 404s which were presented as 500
2016-01-14 02:47:28 +01:00
Mikael Nordfeldth
99261e0781 Don't LOG_ERR missing paths (misspelling clients aren't errors) 2016-01-14 02:22:47 +01:00
Mikael Nordfeldth
331abf173b Forgot semicolon 2016-01-14 02:05:33 +01:00
Mikael Nordfeldth
f699ffeb8a Exception handling in queue handler logic 2016-01-14 02:04:15 +01:00
Mikael Nordfeldth
0ddaa6ff75 Handle exceptions in QueueHandler classes 2016-01-14 01:47:13 +01:00