GNUsocial/gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity
14,762 Commits 8 Branches 4 Tags 310 MiB
89ba820246
Commit Graph

14762 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Joshua Wise
89ba820246 Escape argument to prevent SQL injection attack in 
User::getTaggedSubscriptions()

This change escapes the $tag argument to prevent a SQL injection
attack in User::getTaggedSubscriptions(). The parameter was not
escaped higher up the stack, so this vulnerability could be exploited.
 2013-07-16 10:47:29 -07:00
Joshua Wise
4a30da924a Escape argument to User::getTaggedSubscribers() to preven SQL injection 
This change escapes the argument to User::getTaggedSubscribers() to
prevent SQL injection attacks.

Both code paths up the stack fail to escape this parameter, so this is
a potential SQL injection attack.
 2013-07-16 10:43:56 -07:00
Joshua Wise
e54cb6958a Escape query parameters in Profile_tag::getTagged() 
This patch escapes query parameters in Profile_tag::getTagged(). This
is an extra security step; since these parameters come out of the
database, it's unlikely that they would have dangerous data in them.
 2013-07-16 10:35:44 -07:00
Joshua Wise
5b118b3781 Escape SQL parameter in Profile_tag::moveTag() 
This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
 2013-07-16 10:27:30 -07:00
Joshua Wise
c5a710e081 Escape $tag passed to Profile::getTaggedSubscribers() 
This patch escapes the $tag parameter in
Profile::getTaggedSubscribers(). The parameter is not escaped either
in actions/subscriptions.php or in actions/apiuserfollowers.php. So
there is a potential for SQL injection here.
 2013-07-16 10:14:38 -07:00
Joshua Wise
3fb2c06cba Potential SQL injection in Local_group::setNickname() 
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
 2013-07-16 10:11:26 -07:00
Evan Prodromou
4092ee1bd1 Squashed commit of the following: 
commit bd23a7da105d635414643dfcedd9c8f710d565b8
Author: Evan Prodromou <evan@e14n.com>
Date:   Sat Jun 29 07:49:03 2013 -0400

    Make the after flag work correctly

commit 5c5845a2f866f0bbffedd8e2e5d1f512f87d5329
Author: Evan Prodromou <evan@e14n.com>
Date:   Sat Jun 29 06:14:43 2013 -0400

    Add an 'after' flag for backup script
 2013-06-29 07:49:43 -04:00
Evan Prodromou
660b8f0c9c Merge branch '1.1.x' of gitorious.org:statusnet/mainline into 1.1.x 2013-06-25 22:27:23 -04:00
Evan Prodromou
37bbb96e1b Better output for shares 2013-06-25 22:27:02 -04:00
Jean Baptiste Favre
707dd44f6b Merge commit 'merge-requests/192' into statusnet_1.1.x 2013-06-15 20:11:24 +02:00
Jean Baptiste Favre
fcdd4d2cf0 Fix introduced bug, trying to shorten an empty status. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
58a2630933 Code cleaning. Do call shortenLinks only once, right before saving new notice. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
344a10be8b Code cleaning, remove 'TEST' tags. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
ec072e0af7 Notice update with media attachment may fail through API when status text + attachment length get higher than max notice length. Calling URL shortener can make global length less than maxlength, though allowing notice update. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
1b39f89b96 Add configuration check. Need 'server', 'port', 'user' and 'password' to be defined (not valid, just defined). 2013-06-15 18:59:17 +02:00
Jean Baptiste Favre
f175512748 Remove static definition of imdaemon.php as valid daemon. 2013-06-15 18:59:17 +02:00
Jean Baptiste Favre
b8a69d023b Add basic support for GetValidDaemon event. Shall be extended with configuration check. 2013-06-15 18:59:16 +02:00
Jean Baptiste Favre
93c8969a27 Remove alone 'groups' link on the left side. Useless I guess. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
d1e46e61ac Add same CSS rules for #remoteprofile than for #showstream. Allows to hide avatars, like for local profiles. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
5a0f17933b Display notices for remote profile. Would like to hide avatar like in local profile but did not found how to do it. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
d48076253b Fix error 'No matches for action subscriptions with arguments nickname...' when displaying remote profile. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
368906258a You need an API key when using embed.ly. Unfortunatly oembedhelper.php does not support it. This commit aims to fix it. 2013-06-15 18:35:41 +02:00
Jean Baptiste Favre
d36f443666 Bookmark plugin enhancement: display Bookmark's list. Integration of @chimo's work (http://http://sn.chromic.org/) from https://github.com/chimo/BookmarkList into official plugin. 2013-06-15 18:31:05 +02:00
Evan Prodromou
7a5bd495c5 Better ID for notice activity 2013-06-15 12:07:34 -04:00
Jean Baptiste Favre
b23a744fba Fix for #3649 issue. 2013-06-15 16:58:50 +02:00
Jean Baptiste Favre
359f3ca113 Fix for #3651: oAuth apps list does only show the latest registered application 2013-06-15 14:19:15 +02:00
Jean Baptiste Favre
80da81ba14 Get rid of t.co links for notice's text version. Usefull for client using API. Complements merge-request #205 by @mmn 2013-06-15 11:30:17 +02:00
Jean Baptiste Favre
108aa5c467 Replace t.co links with expanded one provided by Twitter. Can still be a shortened one & will be done only for HTML view, but still a start. Backport of merge_requests/205. 2013-06-15 11:29:09 +02:00
Evan Prodromou
f8393d10b7 Bad variable in ActivityObject::fromMessage() 2013-06-08 21:05:09 -04:00
Evan Prodromou
f189d0b438 Bad variable in Message::asActivity() 2013-06-08 21:04:51 -04:00
Evan Prodromou
0a0aeed413 Use the link property for the URL, not the ID 2013-06-08 19:19:16 -04:00
Evan Prodromou
393130d80f Add direct messages to backup 2013-06-08 17:53:47 -04:00
Evan Prodromou
9fd2c3e1c9 Store direct messages as an activity 2013-06-08 17:45:49 -04:00
Evan Prodromou
ec04acb9b4 Some more well-known sources from plugins 2013-06-07 11:49:34 -04:00
Evan Prodromou
fe2c0a9687 Add generator to JSON output 2013-06-07 11:34:54 -04:00
Evan Prodromou
25823f6e5b Some better context for notices as arrays 2013-06-07 03:11:33 -04:00
Evan Prodromou
9a3c3c5cf8 Coerce width, height of media link to integer 2013-06-07 00:30:04 -04:00
Evan Prodromou
77f23354ad Fix the switch on type 2013-06-05 16:58:31 -04:00
Evan Prodromou
a6bb41a742 Better type check, better URL 2013-06-05 16:51:35 -04:00
Evan Prodromou
dbceb7ba1a Better URL creation for attachments 2013-06-05 16:14:07 -04:00
Evan Prodromou
7366ee73f5 Better handling of null values in ActivityObject::mimeTypeToObjectType 2013-06-05 16:14:02 -04:00
Evan Prodromou
772383e84b Use real attachments for JSON output 2013-06-05 09:39:13 -04:00
Evan Prodromou
460d80d09e Don't set the title of a notice to its plain-text content. 2013-06-04 22:28:45 -04:00
Evan Prodromou
736bc9cc96 Don't add content as title for notes 2013-06-04 19:52:38 -04:00
Evan Prodromou
fa6138195b Change geopoint to location 2013-06-04 17:23:09 -04:00
Evan Prodromou
b2849c4bb3 Remove duplicate of extensions 2013-06-04 17:15:43 -04:00
Evan Prodromou
46f43052f9 Use status_net, portablecontacts_net namespaces 2013-06-04 17:12:54 -04:00
Evan Prodromou
cba2b1ad9c Slightly better ActivityStreams JSON output 2013-06-04 17:01:05 -04:00
Evan Prodromou
08c72a00e8 Use better type, title for service 2013-06-04 16:30:40 -04:00
Evan Prodromou
64bf691c9c Add the service type for activity objects 2013-06-04 16:29:47 -04:00