23 files changed, 147 insertions, 30 deletions
diff --git a/.htaccess b/.htaccess
index 19dd72a8..7ba4744b 100644
--- a/.htaccess
+++ b/.htaccess
@@ -6,6 +6,10 @@ RewriteEngine On
 # Prevent accessing subdirectories not managed by SCM
 RewriteRule ^(.git|doxygen|vendor) - [F]
+# Forward the "Authorization" HTTP header
+RewriteCond %{HTTP:Authorization} ^(.*)
+RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
 # REST API
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0e737d8c..3218f4d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ## [v0.10.0](https://github.com/shaarli/Shaarli/releases/tag/v0.10.0) - UNPUBLISHED
+## [v0.9.6](https://github.com/shaarli/Shaarli/releases/tag/v0.9.6) - 2018-03-25
+## Changed
+- htaccess: prevent accessing resources not managed by SCM
+- htaccess: always forward the 'Authorization' HTTP header
 ## [v0.9.5](https://github.com/shaarli/Shaarli/releases/tag/v0.9.5) - 2018-02-02
 ### Fixed
 - Fix a warning happening when `php-intl` is not installed on the system
diff --git a/Doxyfile b/Doxyfile
index 9a596b53..30f95564 100644
--- a/Doxyfile
+++ b/Doxyfile
@@ -804,6 +804,7 @@ RECURSIVE              = YES
 # run.
 EXCLUDE                = vendor \
+                         data \
                         tpl \
                         inc \
                         doc \
diff --git a/Makefile b/Makefile
index d659d908..5e3ae26d 100644
--- a/Makefile
+++ b/Makefile
@@ -192,7 +192,7 @@ authors:
 ### generate Doxygen documentation
 doxygen: clean
        @rm -rf doxygen
-        @( cat Doxyfile ; echo "PROJECT_NUMBER=`git describe`" ) | doxygen -
+        @doxygen Doxyfile
 ### generate HTML documentation from Markdown pages with MkDocs
 htmldoc:
@@ -206,4 +206,4 @@ htmldoc:
 ### Generate Shaarli's translation compiled file (.mo)
 translate:
-        @find inc/languages/ -name shaarli.po -execdir msgfmt shaarli.po -o shaarli.mo \;
-\ No newline at end of file
+        @find inc/languages/ -name shaarli.po -execdir msgfmt shaarli.po -o shaarli.mo \;
diff --git a/README.md b/README.md
index 106384d8..df9018b6 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ _It is designed to be personal (single-user), fast and handy._
 [![](https://img.shields.io/badge/stable-v0.8.6-blue.svg)](https://github.com/shaarli/Shaarli/releases/tag/v0.8.6)
 [![](https://img.shields.io/travis/shaarli/Shaarli/stable.svg?label=stable)](https://travis-ci.org/shaarli/Shaarli)
 &bull;
-[![](https://img.shields.io/badge/latest-v0.9.5-blue.svg)](https://github.com/shaarli/Shaarli/releases/tag/v0.9.5)
+[![](https://img.shields.io/badge/latest-v0.9.6-blue.svg)](https://github.com/shaarli/Shaarli/releases/tag/v0.9.6)
 [![](https://img.shields.io/travis/shaarli/Shaarli/latest.svg?label=latest)](https://travis-ci.org/shaarli/Shaarli)
 &bull;
 [![](https://img.shields.io/badge/master-v0.10.x-blue.svg)](https://github.com/shaarli/Shaarli)
diff --git a/application/FileUtils.php b/application/FileUtils.php
index 918cb83b..b89ea12b 100644
--- a/application/FileUtils.php
+++ b/application/FileUtils.php
@@ -37,7 +37,7 @@ class FileUtils
        if (is_file($file) && !is_writeable($file)) {
            // The datastore exists but is not writeable
            throw new IOException($file);
-        } else if (!is_file($file) && !is_writeable(dirname($file))) {
+        } elseif (!is_file($file) && !is_writeable(dirname($file))) {
            // The datastore does not exist and its parent directory is not writeable
            throw new IOException(dirname($file));
        }
diff --git a/application/LinkFilter.php b/application/LinkFilter.php
index 12376e27..e52239b8 100644
--- a/application/LinkFilter.php
+++ b/application/LinkFilter.php
@@ -117,7 +117,7 @@ class LinkFilter
        foreach ($this->links as $key => $value) {
            if ($value['private'] && $visibility === 'private') {
                $out[$key] = $value;
-            } else if (! $value['private'] && $visibility === 'public') {
+            } elseif (! $value['private'] && $visibility === 'public') {
                $out[$key] = $value;
            }
        }
@@ -210,7 +210,7 @@ class LinkFilter
            if ($visibility !== 'all') {
                if (! $link['private'] && $visibility === 'private') {
                    continue;
-                } else if ($link['private'] && $visibility === 'public') {
+                } elseif ($link['private'] && $visibility === 'public') {
                    continue;
                }
            }
@@ -337,7 +337,7 @@ class LinkFilter
            if ($visibility !== 'all') {
                if (! $link['private'] && $visibility === 'private') {
                    continue;
-                } else if ($link['private'] && $visibility === 'public') {
+                } elseif ($link['private'] && $visibility === 'public') {
                    continue;
                }
            }
@@ -380,7 +380,7 @@ class LinkFilter
            if ($visibility !== 'all') {
                if (! $link['private'] && $visibility === 'private') {
                    continue;
-                } else if ($link['private'] && $visibility === 'public') {
+                } elseif ($link['private'] && $visibility === 'public') {
                    continue;
                }
            }
diff --git a/application/NetscapeBookmarkUtils.php b/application/NetscapeBookmarkUtils.php
index 2aa2da3b..b4d16d00 100644
--- a/application/NetscapeBookmarkUtils.php
+++ b/application/NetscapeBookmarkUtils.php
@@ -154,10 +154,10 @@ class NetscapeBookmarkUtils
            if (empty($post['privacy']) || $post['privacy'] == 'default') {
                // use value from the imported file
                $private = $bkm['pub'] == '1' ? 0 : 1;
-            } else if ($post['privacy'] == 'private') {
+            } elseif ($post['privacy'] == 'private') {
                // all imported links are private
                $private = 1;
-            } else if ($post['privacy'] == 'public') {
+            } elseif ($post['privacy'] == 'public') {
                // all imported links are public
                $private = 0;
            }
diff --git a/application/Updater.php b/application/Updater.php
index f07e7697..dece2c02 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -457,6 +457,32 @@ class Updater
        }
        return true;
    }
+    /**
+     * Add download size and timeout to the configuration file
+     *
+     * @return bool true if the update is successful, false otherwise.
+     */
+    public function updateMethodDownloadSizeAndTimeoutConf()
+    {
+        if ($this->conf->exists('general.download_max_size')
+            && $this->conf->exists('general.download_timeout')
+        ) {
+            return true;
+        }
+        if (! $this->conf->exists('general.download_max_size')) {
+            $this->conf->set('general.download_max_size', 1024*1024*4);
+        }
+        if (! $this->conf->exists('general.download_timeout')) {
+            $this->conf->set('general.download_timeout', 30);
+        }
+        $this->conf->write($this->isLoggedIn);
+        return true;
+    }
 }
 /**
diff --git a/application/Url.php b/application/Url.php
index 21c17ecc..6b9870f0 100644
--- a/application/Url.php
+++ b/application/Url.php
@@ -81,7 +81,7 @@ function whitelist_protocols($url, $protocols)
    // Protocol not allowed: we remove it and replace it with http
    if ($protocol === 1 && ! in_array($match[1], $protocols)) {
        $url = str_replace($match[0], 'http://', $url);
-    } else if ($protocol !== 1) {
+    } elseif ($protocol !== 1) {
        $url = 'http://' . $url;
    }
    return $url;
diff --git a/application/api/controllers/History.php b/application/api/controllers/History.php
index 2ff9deaf..5cc453bf 100644
--- a/application/api/controllers/History.php
+++ b/application/api/controllers/History.php
@@ -36,7 +36,7 @@ class History extends ApiController
        if (empty($offset)) {
            $offset = 0;
        }
-        else if (ctype_digit($offset)) {
+        elseif (ctype_digit($offset)) {
            $offset = (int) $offset;
        } else {
            throw new ApiBadParametersException('Invalid offset');
@@ -46,7 +46,7 @@ class History extends ApiController
        $limit = $request->getParam('limit');
        if (empty($limit)) {
            $limit = count($history);
-        } else if (ctype_digit($limit)) {
+        } elseif (ctype_digit($limit)) {
            $limit = (int) $limit;
        } else {
            throw new ApiBadParametersException('Invalid limit');
diff --git a/application/api/controllers/Links.php b/application/api/controllers/Links.php
index eb78dd26..3a9c0355 100644
--- a/application/api/controllers/Links.php
+++ b/application/api/controllers/Links.php
@@ -59,9 +59,9 @@ class Links extends ApiController
        $limit = $request->getParam('limit');
        if (empty($limit)) {
            $limit = self::$DEFAULT_LIMIT;
-        } else if (ctype_digit($limit)) {
+        } elseif (ctype_digit($limit)) {
            $limit = intval($limit);
-        } else if ($limit === 'all') {
+        } elseif ($limit === 'all') {
            $limit = count($links);
        } else {
            throw new ApiBadParametersException('Invalid limit');
diff --git a/doc/md/Download-and-Installation.md b/doc/md/Download-and-Installation.md
index 0fdbd27d..05f0c8f2 100644
--- a/doc/md/Download-and-Installation.md
+++ b/doc/md/Download-and-Installation.md
@@ -25,11 +25,11 @@ Using one of the following methods:
 In most cases, you should download the latest Shaarli release from the [releases](https://github.com/shaarli/Shaarli/releases) page. **Download our *shaarli-full* archive** to include dependencies.
-The current latest released version is `v0.9.3`
+The current latest released version is `v0.9.6`
 ```bash
-$ wget https://github.com/shaarli/Shaarli/releases/download/v0.9.3/shaarli-v0.9.3-full.zip
+$ wget https://github.com/shaarli/Shaarli/releases/download/v0.9.6/shaarli-v0.9.6-full.zip
-$ unzip shaarli-v0.9.3-full.zip
+$ unzip shaarli-v0.9.6-full.zip
 $ mv Shaarli /path/to/shaarli/
 ```
diff --git a/doc/md/Upgrade-and-migration.md b/doc/md/Upgrade-and-migration.md
index f666be75..ac24ff34 100644
--- a/doc/md/Upgrade-and-migration.md
+++ b/doc/md/Upgrade-and-migration.md
@@ -3,7 +3,7 @@
 ### Note your current version
 If anything goes wrong, it's important for us to know which version you're upgrading from.
-The current version is present in the `version.php` file.
+The current version is present in the `shaarli_version.php` file.
 ### Backup your data
diff --git a/docker/alpine/Dockerfile.armhf.latest b/docker/alpine/Dockerfile.armhf.latest
index c923834a..824a1926 100644
--- a/docker/alpine/Dockerfile.armhf.latest
+++ b/docker/alpine/Dockerfile.armhf.latest
@@ -37,7 +37,9 @@ RUN curl -L https://github.com/shaarli/Shaarli/archive/latest.tar.gz | tar xzf -
    && cd shaarli \
    && composer --prefer-dist --no-dev install \
    && rm -rf ~/.composer \
-    && chown -R nginx:nginx .
+    && chown -R nginx:nginx . \
+    && ln -sf /dev/stdout /var/log/nginx/shaarli.access.log \
+    && ln -sf /dev/stderr /var/log/nginx/shaarli.error.log
 VOLUME /var/www/shaarli/data
diff --git a/docker/alpine/Dockerfile.armhf.master b/docker/alpine/Dockerfile.armhf.master
index 7f1bdf85..6c89adc3 100644
--- a/docker/alpine/Dockerfile.armhf.master
+++ b/docker/alpine/Dockerfile.armhf.master
@@ -37,7 +37,9 @@ RUN curl -L https://github.com/shaarli/Shaarli/archive/master.tar.gz | tar xzf -
    && cd shaarli \
    && composer --prefer-dist --no-dev install \
    && rm -rf ~/.composer \
-    && chown -R nginx:nginx .
+    && chown -R nginx:nginx . \
+    && ln -sf /dev/stdout /var/log/nginx/shaarli.access.log \
+    && ln -sf /dev/stderr /var/log/nginx/shaarli.error.log
 VOLUME /var/www/shaarli/data
diff --git a/docker/alpine/Dockerfile.latest b/docker/alpine/Dockerfile.latest
index e9015c13..755d8751 100644
--- a/docker/alpine/Dockerfile.latest
+++ b/docker/alpine/Dockerfile.latest
@@ -42,7 +42,12 @@ RUN rm -rf /etc/php7/php-fpm.d/www.conf \
 WORKDIR /var/www
 COPY --from=composer /app/shaarli shaarli
+RUN chown -R nginx:nginx . \
+    && ln -sf /dev/stdout /var/log/nginx/shaarli.access.log \
+    && ln -sf /dev/stderr /var/log/nginx/shaarli.error.log
 VOLUME /var/www/shaarli/data
 EXPOSE 80
 ENTRYPOINT ["/bin/s6-svscan", "/etc/services.d"]
diff --git a/docker/alpine/Dockerfile.master b/docker/alpine/Dockerfile.master
index 9cb4dec4..0472947f 100644
--- a/docker/alpine/Dockerfile.master
+++ b/docker/alpine/Dockerfile.master
@@ -42,7 +42,10 @@ RUN rm -rf /etc/php7/php-fpm.d/www.conf \
 WORKDIR /var/www
 COPY --from=composer /app/shaarli shaarli
-RUN chown -R nginx:nginx .
+RUN chown -R nginx:nginx . \
+    && ln -sf /dev/stdout /var/log/nginx/shaarli.access.log \
+    && ln -sf /dev/stderr /var/log/nginx/shaarli.error.log
 VOLUME /var/www/shaarli/data
 EXPOSE 80
diff --git a/index.php b/index.php
index bd34c0cd..dbc2bb3b 100644
--- a/index.php
+++ b/index.php
@@ -887,7 +887,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager,
        if (empty($params['searchtags'])) {
            $params['searchtags'] = trim($_GET['addtag']);
        }
-        else if ($addtag) {
+        elseif ($addtag) {
            $params['searchtags'] = trim($params['searchtags']).' '.trim($_GET['addtag']);
        }
@@ -953,7 +953,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager,
            } else {
                unset($_SESSION['visibility']);
            }
-        } else if ($_GET['visibility'] === 'public') {
+        } elseif ($_GET['visibility'] === 'public') {
            if (empty($_SESSION['visibility']) || $_SESSION['visibility'] !== 'public') {
                // See only public links
                $_SESSION['visibility'] = 'public';
@@ -1093,7 +1093,6 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager,
            $conf->set('general.title', escape($_POST['title']));
            $conf->set('general.header_link', escape($_POST['titleLink']));
            $conf->set('resource.theme', escape($_POST['theme']));
-            $conf->set('redirector.url', escape($_POST['redirector']));
            $conf->set('security.session_protection_disabled', !empty($_POST['disablesessionprotection']));
            $conf->set('privacy.default_private_links', !empty($_POST['privateLinkByDefault']));
            $conf->set('feed.rss_permalinks', !empty($_POST['enableRssPermalinks']));
@@ -1126,7 +1125,6 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager,
            $PAGE->assign('title', $conf->get('general.title'));
            $PAGE->assign('theme', $conf->get('resource.theme'));
            $PAGE->assign('theme_available', ThemeUtils::getThemes($conf->get('resource.raintpl_tpl')));
-            $PAGE->assign('redirector', $conf->get('redirector.url'));
            list($continents, $cities) = generateTimeZoneData(
                timezone_identifiers_list(),
                $conf->get('general.timezone')
@@ -1376,7 +1374,12 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager,
            if (empty($title) && strpos(get_url_scheme($url), 'http') !== false) {
                // Short timeout to keep the application responsive
                // The callback will fill $charset and $title with data from the downloaded page.
-                get_http_response($url, 25, 4194304, get_curl_download_callback($charset, $title));
+                get_http_response(
+                    $url,
+                    $conf->get('general.download_max_size', 4194304),
+                    $conf->get('general.download_timeout', 30),
+                    get_curl_download_callback($charset, $title)
+                );
                if (! empty($title) && strtolower($charset) != 'utf-8') {
                    $title = mb_convert_encoding($title, 'utf-8', $charset);
                }
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index 6b4aabf3..2f24e417 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -288,7 +288,7 @@ function sanitize_html($description)
            $description);
    }
    $description = preg_replace(
-        '#(<[^>]+)on[a-z]*="?[^ "]*"?#is',
+        '#(<[^>]+\s)on[a-z]*="?[^ "]*"?#is',
        '$1',
        $description);
    return $description;
diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php
index fed175df..94e3c7d3 100644
--- a/tests/Updater/UpdaterTest.php
+++ b/tests/Updater/UpdaterTest.php
@@ -620,4 +620,68 @@ $GLOBALS[\'privateLinkByDefault\'] = true;';
        $this->assertTrue($updater->updateMethodAtomDefault());
        $this->assertTrue($this->conf->get('feed.show_atom'));
    }
+    /**
+     * Test updateMethodDownloadSizeAndTimeoutConf, it should be set if none is already defined.
+     */
+    public function testUpdateMethodDownloadSizeAndTimeoutConf()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodDownloadSizeAndTimeoutConf());
+        $this->assertEquals(4194304, $this->conf->get('general.download_max_size'));
+        $this->assertEquals(30, $this->conf->get('general.download_timeout'));
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->assertEquals(4194304, $this->conf->get('general.download_max_size'));
+        $this->assertEquals(30, $this->conf->get('general.download_timeout'));
+    }
+    /**
+     * Test updateMethodDownloadSizeAndTimeoutConf, it shouldn't be set if it is already defined.
+     */
+    public function testUpdateMethodDownloadSizeAndTimeoutConfIgnore()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('general.download_max_size', 38);
+        $this->conf->set('general.download_timeout', 70);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodDownloadSizeAndTimeoutConf());
+        $this->assertEquals(38, $this->conf->get('general.download_max_size'));
+        $this->assertEquals(70, $this->conf->get('general.download_timeout'));
+    }
+    /**
+     * Test updateMethodDownloadSizeAndTimeoutConf, only the maz size should be set here.
+     */
+    public function testUpdateMethodDownloadSizeAndTimeoutConfOnlySize()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('general.download_max_size', 38);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodDownloadSizeAndTimeoutConf());
+        $this->assertEquals(38, $this->conf->get('general.download_max_size'));
+        $this->assertEquals(30, $this->conf->get('general.download_timeout'));
+    }
+    /**
+     * Test updateMethodDownloadSizeAndTimeoutConf, only the time out should be set here.
+     */
+    public function testUpdateMethodDownloadSizeAndTimeoutConfOnlyTimeout()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('general.download_timeout', 3);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodDownloadSizeAndTimeoutConf());
+        $this->assertEquals(4194304, $this->conf->get('general.download_max_size'));
+        $this->assertEquals(3, $this->conf->get('general.download_timeout'));
+    }
 }
diff --git a/tests/plugins/test/test.php b/tests/plugins/test/test.php
index 3d750c90..2aaf5122 100644
--- a/tests/plugins/test/test.php
+++ b/tests/plugins/test/test.php
@@ -11,7 +11,7 @@ function hook_test_random($data)
 {
    if (isset($data['_PAGE_']) && $data['_PAGE_'] == 'test') {
        $data[1] = 'page test';
-    } else if (isset($data['_LOGGEDIN_']) && $data['_LOGGEDIN_'] === true) {
+    } elseif (isset($data['_LOGGEDIN_']) && $data['_LOGGEDIN_'] === true) {
        $data[1] = 'loggedin';
    } else {
        $data[1] = $data[0];
diff --git a/tpl/vintage/loginform.html b/tpl/vintage/loginform.html
index 2c9b710e..0f7d6387 100644
--- a/tpl/vintage/loginform.html
+++ b/tpl/vintage/loginform.html
@@ -13,7 +13,7 @@
  {include="page.header"}
  <div id="headerform">
-    {if="!ban_canLogin($conf)"}
+    {if="!$user_can_login"}
      You have been banned from login after too many failed attempts. Try later.
    {else}
      <form method="post" name="loginform">