summaryrefslogtreecommitdiffstats
path: root/application/core
AgeCommit message (Collapse)AuthorFilesLines
2019-01-28Disable CSRF token regeneration for multipaste AJAXFlorian Pritz1-0/+5
If regeneration is on, the token is recreated after the first AJAX submit and subsequent ajax submits or normal form submits break. By disabling it here, we limit potential security issues to only this page, but it also only works if the user does not submit any other forms while they are on the AJAX page. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2018-09-24Remove unnecessary set of MB encodingFlorian Pritz1-1/+0
There are no more MB related functions used in the application code base so this can go away. It was used by the plain text API which has been removed in v2.0.0. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2017-09-21Remove usage of deprecated is_cli_request()Florian Pritz1-3/+3
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2017-09-21Fix return checks for CI3Florian Pritz1-2/+2
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2017-09-18Migrate return code checks for CI3Florian Pritz1-1/+1
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2017-09-09Merge tag '3.1.5' into dev-ci3Florian Pritz1-1/+2
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2017-05-15Fix error handling in MY_Input->post_array()Florian Pritz1-1/+7
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2017-05-12Catch incorrect POST parameters (array vs string)Florian Pritz1-0/+34
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-11-05MY_Controller: Extract CSRF code into methodFlorian Pritz1-28/+37
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-11-05c/MY_Controller: Extract CSRF protection code into methodFlorian Pritz1-5/+9
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-11-05c/MY_Controller: Extract database migration code into methodFlorian Pritz1-14/+20
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-11-05Add do_websumit to CSRF exception listFlorian Pritz1-0/+1
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-11-05Remove cli client upload handlerFlorian Pritz1-2/+0
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-11-05Remove cli client CSRF whitelistFlorian Pritz1-12/+0
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-11-05Rename is_cli_client to is_api_clientFlorian Pritz1-3/+3
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-11-01Only check for multipaste queue when session is avaiableFlorian Pritz1-1/+3
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-11-01Add multipaste queue button to navigationFlorian Pritz1-0/+1
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-10-31Disable special handling of {elapsed_time} and {memory_usage}Florian Pritz1-0/+16
Documentation says that the variable can be set from the controller, but it's protected and thus throws and exception. Good documentation is hard to come by... Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-07-13Throw public exception when accessing CLI only functionsFlorian Pritz1-0/+7
We actually don't need to hide this from the user. The error should be shown rather than a blank page being returned. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2016-06-05Fix redirect on login after registering new accountFlorian Pritz1-0/+1
Previously the login box in the navigation would redirect to the current page, but this page will throw an error in the case of the registration page since that's the page with the invition key and that key is no longer valid. Fix this by redirecting to the $redirect_uri and ensure that this value is set for all requests. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2015-05-22Forbid cli requests until database is updatedFlorian Pritz1-1/+1
This mainly tries to prevent problems when file cron is run with an old database. Tools is whitelisted for the future, if there are cron jobs in tools they will need to check the migrations themselves. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2015-02-15add <!DOCTYPE html>Tjoosten1-1/+2
2015-02-03Use exceptions instead of show_errorFlorian Pritz1-3/+4
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2015-02-03Remove unstable json apiFlorian Pritz1-27/+2
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2015-02-03implement api/user/create_apikeyFlorian Pritz1-1/+7
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2015-01-16miscFlorian Pritz1-1/+5
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2014-10-15add file/do_multipaste to CSRF exception listFlorian Pritz1-0/+1
This is only needed for clients not yet using api keys. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2014-10-03Rework image manipulation classFlorian Pritz1-0/+1
This is the first of hopefully more classes using namespaces and proper classes that can be used as objects rather than CI's singleton approach. The namespace is mainly used to gain nice autoloading capabilities and it's not really yet used for separation. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2014-08-30Improve migration error messageFlorian Pritz1-2/+2
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2014-07-23Move migration code to CLI callable functionFlorian Pritz1-3/+16
This is necessary to prevent migrations from running multiple times in parallel. A git hook can be used to run this after checkout so impact should be fairly low. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-22Move user_logged_in check to controller constructorFlorian Pritz1-0/+3
TL;DR: Allows us to show a proper error page if encryption_key is missing from the config. muser->logged_in() can load the session class which will die if encryption_key is not set in the config causing an error to be displayed. Because the header is also loaded when we display an error loading the class will be tried again. CI maintains an array with information which classes have been tried to be loaded and will simply return true without loading again. muser->logged_in() will then try to access $this->session which doesn't exist. Since all of this happens when we are already in the header the error message appears in the navigation being hard to read. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-16Remove executable bitsFlorian Pritz1-0/+0
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-10Add file/get_max_size to csrf whitelistFlorian Pritz1-0/+1
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-05Disable CSRF for cli clients on user/create_apikeyFlorian Pritz1-0/+1
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-04Add support for enabling the profilerFlorian Pritz1-0/+4
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-04Replace is_cli_client() with stateful_client where applicableFlorian Pritz1-1/+0
Stateless clients (cli client and clients using api keys) can't reclaim IDs (no cookie) so they should be required to log in asap and they will always get an error if they didn't log in. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-04Generalize request_type() to static_storage()Florian Pritz1-3/+3
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-02Disable CSRF checks for CLI requestsFlorian Pritz1-1/+1
Otherwise we get an error in the Security class trying to access $_SERVER["REQUEST_METHOD"]. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-02Add GET parameter for json outputFlorian Pritz1-0/+6
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-02Add CSRF protectionFlorian Pritz1-0/+46
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-09-02Provide json output for api functionsFlorian Pritz1-1/+11
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2013-08-22Deduplicate initialisation code in controllersFlorian Pritz1-0/+36
Signed-off-by: Florian Pritz <bluewind@xinu.at>
2011-01-28update to CI 2.0Florian Pritz1-0/+10
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
2010-03-25moved application folder outside of the system folderDerek Jones1-0/+10