Commit Graph

16097 Commits

Author SHA1 Message Date
Mikael Nordfeldth
2e8b729503 Issue 3636 request clarity for users without validated emails on instances with RequireValidatedEmail active 2013-08-12 12:56:40 +02:00
Mikael Nordfeldth
1095f7a935 new plugin to check, store and migrate password hashes to crypt() 2013-08-12 12:54:51 +02:00
Mikael Nordfeldth
56cfd2bf22 comparing a url scheme should be done case insensitively 2013-08-12 12:52:50 +02:00
Mikael Nordfeldth
f433f7ce77 if parameters are not 0, null then limit will be PROFILES_PER_PAGE
If you look at classes/User_group.php on line 412 in the current code, you can see that a call to $profile->getGroups() is made. This implies getGroups($offset=0, $limit=PROFILES_PER_PAGE) only giving a limited amount of groups.

This means only the first 20 groups in an ascending numerical order by locally stored User_group->id will be addressable with the bangtag syntax.

I solved this by making the getGroups() call to the same one made in Profile->isMember(), i.e. $profile->getGroups(0, null);
2013-08-12 12:50:23 +02:00
Mikael Nordfeldth
ea837cea67 added missing return statement after showForm call
Issue #3125 at http://status.net/open-source/issues/3125 (and its duplicate 3127) describe buggy behaviour when trying to create a new group - i.e. the group is still created but with nickname NULL.

The reason the group is created is that when failing Nickname::normalize, the function trySave() in actions/newgroup.php doesn't call 'return' - meaning it just keeps going despite the error thrown. It a

So the simple solution to this bug was adding a return call at line 128, inside the catch just after the showForm(...) call.
2013-08-12 12:44:19 +02:00
Mikael Nordfeldth
3ad3535cd8 Merge commit 'refs/merge-requests/230' of git://gitorious.org/statusnet/mainline into merge-requests/230 2013-08-12 12:37:46 +02:00
Mikael Nordfeldth
7d8e199a3f Update to DB_DataObject 1.11.2
Now there's definitely no PHP4 support whatsoever, if there even
was little of it before this commit.
2013-08-12 12:34:37 +02:00
Mikael Nordfeldth
f79aec36fe Merge remote-tracking branch 'statusnet/master'
This merges GNU Social with current development of StatusNet. The only conflicts were some documentation, where GNU Social's versions were retained.

Conflicts:
	doc-src/about
	doc-src/faq
	plugins/OpenID/doc-src/openid
2013-08-12 12:23:17 +02:00
Evan Prodromou
2a70ed27e7 Merge branch '1.1.x' 2013-07-16 15:06:51 -04:00
Evan Prodromou
f48ade3a81 Fix broken Italian translation in facebook bridge 2013-07-16 11:28:29 -07:00
Evan Prodromou
6bf2c182b3 Upgrade version number
Conflicts:
	lib/framework.php
2013-07-16 11:25:25 -07:00
Evan Prodromou
971636fb9b Upgrade version number 2013-07-16 11:23:47 -07:00
Evan Prodromou
3fc1d245a1 Merge 1.1.x into master 2013-07-16 10:57:06 -07:00
Joshua Wise
89ba820246 Escape argument to prevent SQL injection attack in
User::getTaggedSubscriptions()

This change escapes the $tag argument to prevent a SQL injection
attack in User::getTaggedSubscriptions(). The parameter was not
escaped higher up the stack, so this vulnerability could be exploited.
2013-07-16 10:47:29 -07:00
Joshua Wise
4a30da924a Escape argument to User::getTaggedSubscribers() to preven SQL injection
This change escapes the argument to User::getTaggedSubscribers() to
prevent SQL injection attacks.

Both code paths up the stack fail to escape this parameter, so this is
a potential SQL injection attack.
2013-07-16 10:43:56 -07:00
Joshua Wise
e54cb6958a Escape query parameters in Profile_tag::getTagged()
This patch escapes query parameters in Profile_tag::getTagged(). This
is an extra security step; since these parameters come out of the
database, it's unlikely that they would have dangerous data in them.
2013-07-16 10:35:44 -07:00
Joshua Wise
5b118b3781 Escape SQL parameter in Profile_tag::moveTag()
This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
2013-07-16 10:27:30 -07:00
Joshua Wise
c5a710e081 Escape $tag passed to Profile::getTaggedSubscribers()
This patch escapes the $tag parameter in
Profile::getTaggedSubscribers(). The parameter is not escaped either
in actions/subscriptions.php or in actions/apiuserfollowers.php. So
there is a potential for SQL injection here.
2013-07-16 10:14:38 -07:00
Joshua Wise
3fb2c06cba Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:11:26 -07:00
Joshua Wise
783e400d94 Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:09:16 -07:00
Evan Prodromou
540b90dbd9 Better verb comparison 2013-06-30 12:08:11 -04:00
Evan Prodromou
e502bba259 Slightly more robust group-membership conversion 2013-06-30 12:07:55 -04:00
Evan Prodromou
66f4a39105 Squashed commit of the following:
commit bd23a7da105d635414643dfcedd9c8f710d565b8
Author: Evan Prodromou <evan@e14n.com>
Date:   Sat Jun 29 07:49:03 2013 -0400

    Make the after flag work correctly

commit 5c5845a2f866f0bbffedd8e2e5d1f512f87d5329
Author: Evan Prodromou <evan@e14n.com>
Date:   Sat Jun 29 06:14:43 2013 -0400

    Add an 'after' flag for backup script
2013-06-29 07:52:09 -04:00
Evan Prodromou
4092ee1bd1 Squashed commit of the following:
commit bd23a7da105d635414643dfcedd9c8f710d565b8
Author: Evan Prodromou <evan@e14n.com>
Date:   Sat Jun 29 07:49:03 2013 -0400

    Make the after flag work correctly

commit 5c5845a2f866f0bbffedd8e2e5d1f512f87d5329
Author: Evan Prodromou <evan@e14n.com>
Date:   Sat Jun 29 06:14:43 2013 -0400

    Add an 'after' flag for backup script
2013-06-29 07:49:43 -04:00
Evan Prodromou
660b8f0c9c Merge branch '1.1.x' of gitorious.org:statusnet/mainline into 1.1.x 2013-06-25 22:27:23 -04:00
Evan Prodromou
37bbb96e1b Better output for shares 2013-06-25 22:27:02 -04:00
Evan Prodromou
557105b86d Better output for shares 2013-06-25 22:26:27 -04:00
Jean Baptiste Favre
723f0f1929 PHP 5.4: Fix 'mysql has gone away' error when using mysqli driver with forked daemons (at least TwitterBridge) 2013-06-20 11:07:51 +02:00
Jean Baptiste Favre
f1a3d5a386 PHP 5.4 Fix GetValidDaemons function definition for Xmpp & TwitterBridge plugins 2013-06-19 13:25:28 +02:00
Jean Baptiste Favre
c23efdbdb0 PHP 5.4 compatibility: remove call-time pass by reference 2013-06-19 11:16:05 +02:00
Evan Prodromou
0a23946e6b Add messages, directed notices to sim 2013-06-17 20:16:49 -07:00
Evan Prodromou
fb3981bb04 Set the site profile on install 2013-06-17 20:16:31 -07:00
Evan Prodromou
faf4e7e535 Make favorites in createsim 2013-06-16 02:18:19 +00:00
Evan Prodromou
35ff643230 Turn off Activity by default 2013-06-16 02:16:40 +00:00
Jean Baptiste Favre
707dd44f6b Merge commit 'merge-requests/192' into statusnet_1.1.x 2013-06-15 20:11:24 +02:00
Jean Baptiste Favre
fcdd4d2cf0 Fix introduced bug, trying to shorten an empty status. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
58a2630933 Code cleaning. Do call shortenLinks only once, right before saving new notice. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
344a10be8b Code cleaning, remove 'TEST' tags. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
ec072e0af7 Notice update with media attachment may fail through API when status text + attachment length get higher than max notice length. Calling URL shortener can make global length less than maxlength, though allowing notice update. 2013-06-15 19:07:43 +02:00
Jean Baptiste Favre
6d47fadf42 Fix introduced bug, trying to shorten an empty status. 2013-06-15 19:04:32 +02:00
Jean Baptiste Favre
54374365e9 Code cleaning. Do call shortenLinks only once, right before saving new notice. 2013-06-15 19:04:31 +02:00
Jean Baptiste Favre
f803b22752 Code cleaning, remove 'TEST' tags. 2013-06-15 19:04:31 +02:00
Jean Baptiste Favre
6387e0a90d Notice update with media attachment may fail through API when status text + attachment length get higher than max notice length. Calling URL shortener can make global length less than maxlength, though allowing notice update. 2013-06-15 19:04:31 +02:00
Jean Baptiste Favre
1b39f89b96 Add configuration check. Need 'server', 'port', 'user' and 'password' to be defined (not valid, just defined). 2013-06-15 18:59:17 +02:00
Jean Baptiste Favre
f175512748 Remove static definition of imdaemon.php as valid daemon. 2013-06-15 18:59:17 +02:00
Jean Baptiste Favre
b8a69d023b Add basic support for GetValidDaemon event. Shall be extended with configuration check. 2013-06-15 18:59:16 +02:00
Jean Baptiste Favre
93c8969a27 Remove alone 'groups' link on the left side. Useless I guess. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
d1e46e61ac Add same CSS rules for #remoteprofile than for #showstream. Allows to hide avatars, like for local profiles. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
5a0f17933b Display notices for remote profile. Would like to hide avatar like in local profile but did not found how to do it. 2013-06-15 18:41:04 +02:00
Jean Baptiste Favre
d48076253b Fix error 'No matches for action subscriptions with arguments nickname...' when displaying remote profile. 2013-06-15 18:41:04 +02:00