Age | Commit message (Collapse) | Author | Files | Lines |
|
This could lead to XSS if the html attribute values weren't quoted with
double quotes. By default htmlentities only encodes double quotes and
not single quotes. If the quotes are ever changed this could lead to
exploitable XSS.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
The documentation already refers to 2.1.0 and lists a new feature of
the file/history endpoint, but requests for 2.1.0 are not yet accepted
because the server doesn't know that it actually supports this version.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Previously the login box in the navigation would redirect to the
current page, but this page will throw an error in the case of the
registration page since that's the page with the invition key and that
key is no longer valid.
Fix this by redirecting to the $redirect_uri and ensure that this value
is set for all requests.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
The php documentation for password_hash recommends 255.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
This drops a third party library, but bumps our required php version to
5.5 which is currently old stable. Earlier versions are no longer
supported by php upstream nor by us.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Error was: You can't specify target table 'testsuite_prefix_file_storage' for update in FROM clause
The new code is ported from the existing postgres migration.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Sometimes php7 throws an internal notice in this function which we
convert to an exception. Catching the exception will however not set
$mimetype so this error needs to be ignored.
This should be removed once php has fixed the bug.
References: https://bugs.php.net/bug.php?id=71434
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Using the class name for the constructor is deprecated.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Clients are only hosted on paste.xinu.at and everywhere else the links
will point to missing files so they become useless.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Imagemagick sometimes output warnings about files that do not conform
to standards, but still renders them.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
- Add missing files
- Fix paths missing FCPATH
- Remove left over header/footer
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
The - from m-ID was missing in the regex.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Reported-by: Michael Mueller <michael.mueller@selfnet.de>
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
service/file::history calls this for every entry which is rather slow.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Also adjust test cases to check for the new value. API v1 does not
change.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Since this is a breaking change bump the api version to 2.
The private fields are user_id and multipaste_id which where leaked via
the multipaste_items field. This commit also adds a test case to both
api versions that checks the returned fields.
NOTE: Most of this commit is copied from the files of api v1 so when
viewing the diff use --find-copies-harder for an easy to read diff.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
These are necessary for clients that want to send lots of fields e.g.
in a delete request or upload multiple files in one upload request.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
If the user has multiple tabs open, but is not logged in this will be
called multiple times (unless he logs in after the first upload batch)
and earlier uploads would be lost.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
If we store only the last called URI in the session we can't support
multiple browser tabs that all need to log in again. Fix this by
storing the URI in the URL.
Also change a trim() to ltrim() so that the URI string we store keeps
it's trailing slash.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Also try to clean up when files are deleted since 1 month is a rather
long time. Granted, thumbnails are small, but whatever
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
- Use the filedata we already have in
c/file->upload_history_thumbnails() rather than fetching it per id in
m/mfile->valid_id
- Construct the config array for s/f::valid_id only once and not for
every validation.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
site_url is rather slow and the improvement is noticeable when there
are lots of thumbnails (thumbnail history).
Also make the code more readable in the process by inserting some
linebreaks.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
APPPATH is an absolute path already so prepending FCPATH will make an
invalid path.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|