Commit graph

39219 commits

Author SHA1 Message Date
Hypolite Petovan a25dbf839a Remove photo user id fallback from 2021
- Remove deprecated /photos/{nickname} fallback routes
- The contact id fallback is a lie, there's no replacement feature
2024-02-23 22:41:18 -05:00
Hypolite Petovan e16b6ee6e1
Check form security token in /settings/userexport module (#13929)
* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event

* Check form security token in /settings/userexport module

- Prevents basic XSS attacks against /settings/userexport/*
2024-02-22 21:08:32 +01:00
Hypolite Petovan 5c5d7eb04f
Fix several vulnerabilities (#13927)
* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event
2024-02-22 06:53:52 +01:00
Michael Vogel fc3898fe64
Updated Bluesky logo (#13926) 2024-02-21 18:23:36 +01:00
Michael Vogel 71384e6f39
Issue 13909: Filter channels by network (#13924) 2024-02-20 07:11:26 +01:00
Michael Vogel d95c9d28a8
Issue 13922: "voted" must not be null (#13923) 2024-02-20 07:09:55 +01:00
Hypolite Petovan bb7d25dfc9
Merge pull request #13921 from annando/content-type
Check for activity pub mime types
2024-02-19 05:57:47 -05:00
Michael Vogel d5c0f086bd
Disallow mail addresses for registration (#13920)
* Disallow mail addresses for registration

* Order for allow/disallow has been changed
2024-02-19 09:33:20 +01:00
Michael 892e0a5623 Check for activity pub mime types 2024-02-19 07:11:56 +00:00
Michael Vogel cb294cf411
Avoid problems with an empty domain in the blocklist (#13919)
* Avoid problems with an empty domain in the blocklist

* Test code removed
2024-02-19 07:22:19 +01:00
Michael Vogel 9ad452a19b
Merge pull request #13918 from MrPetovan/bug/fixup-13911
Move Api\Mastodon\Instance\Extended to ExtendedDescription
2024-02-19 04:05:42 +01:00
Hypolite Petovan 623a5be8a6 Clarify condition on offset in Mastodon\Search->searchStatuses 2024-02-18 18:48:37 -05:00
Hypolite Petovan d1cd9a016e Move Api\Mastodon\Instance\Extended to ExtendedDescription
- Add reference to Mastodon documentation
2024-02-18 18:47:59 -05:00
Michael Vogel 7d5d3b3c29
Issue 13293: Endpoint /api/v1/accounts/lookup implemented (#13917) 2024-02-18 20:17:06 +01:00
Michael Vogel bcec6c5ab2
Issue #13899: Fix error on postupdate (#13915) 2024-02-18 20:09:56 +01:00
Michael Vogel 6384265cbd
Issue #13823: Fix "Mutes" endpoint (#13916) 2024-02-18 20:07:51 +01:00
Michael Vogel f12276eff8
New channel "quiet sharers" for posts from lesser frequent posters (#13913) 2024-02-18 15:54:21 +01:00
Michael Vogel c6160a1c38
Fix API issues #13887, #13886, #13863, #13809, #13897 (#13911) 2024-02-18 15:52:30 +01:00
Michael Vogel 07c20da08f
Issue 13905: ostatus context added (#13912) 2024-02-18 15:46:41 +01:00
Michael Vogel 4eefd0a205
Merge pull request #13908 from MrPetovan/bug/warnings
Avoid passing null bytes in regular expression in Object\Image
2024-02-18 05:33:41 +01:00
Hypolite Petovan 78bc1359e0
Merge pull request #13907 from annando/fix-relations
Fix contact-relation follower calculation
2024-02-17 22:30:56 -05:00
Hypolite Petovan 1956c2ecfd Avoid passing null bytes in regular expression in Object\Image
- Remove capturing expression for A|B in favor of bracket syntax in regular expression since matches aren't used.
- Regular expressions have their own character escape notation including backslashes that need to be escaped in a PHP string.
- Actually address https://github.com/friendica/friendica/issues/13761#issuecomment-1949930922
2024-02-17 22:27:37 -05:00
Michael ade2369b5d Merge remote-tracking branch 'upstream/2024.03-rc' into fix-relations 2024-02-17 21:56:56 +00:00
Michael 0d2ea97eb1 Fix comtact-relation follower calculation 2024-02-17 21:32:17 +00:00
Michael Vogel 08fa51d0bb
Fix the handling of unhandled image types and of animations (#13904)
* Fix the handling of unhandled image types and of animations

* Avoid warnings
2024-02-17 15:46:48 +01:00
Michael 7d10518e94 Revert "Fix unhandled image detection"
This reverts commit 1069cfb570.
2024-02-17 10:50:09 +00:00
Michael 1069cfb570 Fix unhandled image detection 2024-02-17 10:46:48 +00:00
Michael Vogel 14e5b06029
Image handling reworked, new image formats added (#13900)
* Image handling reworked, new image formats added

* Updated messages.po

* The dot is now part of the file extension

* Added WebP in install documentation

* Handle unhandled mime types

* Fixed animated picture detected
2024-02-17 07:45:41 +01:00
Tobias Diekershoff 1ea8a4042d bump version to 2024.03-rc 2024-02-14 08:24:41 +01:00
Michael Vogel fad55e0948
Prevent users from following relay accounts (#13894) 2024-02-13 06:50:46 +01:00
Hypolite Petovan 262ca4131d
Merge pull request #13893 from annando/fix-relay-unsubscribe
Fixed relay detection on unsubscription
2024-02-12 23:55:01 -05:00
Michael c7e0500529 Fixed relay detection on unsubscription 2024-02-13 04:30:38 +00:00
Hypolite Petovan 686d0b6dbb
Merge pull request #13892 from annando/no-preview-on-sensitive
Don't display preview images for links, when the post is marked as sensitive
2024-02-12 22:30:31 -05:00
Hypolite Petovan 59c27a6cbb
Merge pull request #13889 from annando/issue-13884
Issue 13884: Sanitation of links in BBCode parser
2024-02-12 15:28:04 -05:00
Michael e2cbe0983a Don't display preview images for links, when the post is marked as sensitive 2024-02-12 06:01:07 +00:00
Michael 3b0cc45588 Link sanitation added to some more places 2024-02-12 05:40:09 +00:00
Michael 061f43788c Sanitize links before storing them 2024-02-12 05:21:13 +00:00
Michael fe00a3893d urlencode for tags / fix smiley replacement 2024-02-12 04:46:20 +00:00
Michael 5d4f72698d Function renamed 2024-02-12 04:44:13 +00:00
Michael 96ede22abb Issue 13884: Sanitation of links in BBCode parser 2024-02-11 12:05:31 +00:00
Michael Vogel 2cc8fcc4aa
Merge pull request #13880 from MrPetovan/bug/13878-deprecate-star-list
Deprecate use of [*] BBCode tag for list items in favor of [li]
2024-02-11 03:13:28 +01:00
Hypolite Petovan 98900c33d4
Merge pull request #13881 from annando/valid-object
Ckeck for host differences of fetched activities
2024-02-10 11:13:16 -05:00
Michael 7dc9a812f6 Updated messages.po 2024-02-10 11:46:42 +00:00
Michael 7a14d5f7e4 Merge branch 'develop' of https://github.com/annando/friendica into develop 2024-02-10 11:39:47 +00:00
Michael 909d516ed4 Merge remote-tracking branch 'upstream/develop' into valid-object 2024-02-10 11:34:17 +00:00
Michael Vogel 52825cb4c4
User setting to disable blurring of sensitive pictures (#13883) 2024-02-10 09:50:49 +01:00
Michael Vogel dbc72adaf9
Merge pull request #13882 from tobiasd/20240210-lng
update translations
2024-02-10 09:31:58 +01:00
Michael ba5a288b2d User setting to disable blurring of sensitive pictures 2024-02-10 08:27:54 +00:00
Tobias Diekershoff 84043abbda update translations 2024-02-10 08:57:19 +01:00
Michael Vogel f212888e90
Merge pull request #13879 from MrPetovan/bug/13877-fpostit-ssrf
Remove deprecated fpostit mod
2024-02-10 07:16:48 +01:00