aboutsummaryrefslogtreecommitdiffhomepage
Commit message (Collapse)AuthorAgeFilesLines
* [add] https://github.com/sebsauvage/Shaarli/issues/20 New links created as ↵Knah Tsaeb2013-03-043-60/+71
| | | | private by default.
* Added https to list of authorized protocols.Sebastien SAUVAGE2013-03-031-1/+1
|
* Corrected vulnerabilities (see report below)Sebastien SAUVAGE2013-03-033-5/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Title : Shaarli Vulnerabilities Author : @erwan_lr | @_WPScan_ Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli Download : https://github.com/sebsauvage/Shaarli/archive/master.zip | http://sebsauvage.net/files/shaarli_0.0.40beta.zip Affected versions : master-705F835, 0.0.40-beta (versions below may also be vulnerable) Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards Persistent XSS : - During the instalation or configuration modification, the title field is vulnerable. e.g <script>alert(1)</script> Quotes can not be used because of var_export(), but String.fromCharCode works - The url field of a link is vulnerable : When there is no redirector : javascript:alert(1) Then, the code is triggered when a user click the url of a link Or with a classic XSS : "><script>alert(1)</script> Unvalidated Redirects and Forwards : A request with the param linksperpage or privateonly can be used to redirect a user to an arbitrary referer e.g GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1 Host: 127.0.0.1 Referer: https://duckduckgo.com History : March 2, 2013 - Vendor contacted
* Proper redirect in popup when login fails.Sebastien SAUVAGE2013-03-021-1/+3
| | | | This corrects issue https://github.com/sebsauvage/Shaarli/issues/10
* Added option to disable jQuery and heavy javascriptSebastien SAUVAGE2013-03-016-13/+36
| | | | | | | | | | | | | Shaarli uses light Javascript in its normal operation, and some jQuery for some features (autocomplete in tags, QR-Code popup...). jQuery can be slow on small computers. An option has been added in configuration screen to disable javascript features which are hard on CPU. (Note that the Picture Wall is awfully heavy *without* jQuery.) (Side note: A *LOT* of users want Shaarli to work without javasript at all, if possible. That's why I try to use as few javascript as possible: It keeps Shaarli pages fast.)
* URL source in cached RSS feeds.Sebastien SAUVAGE2013-03-011-3/+3
|
* Sort tagsSebastien SAUVAGE2013-03-011-2/+6
|
* Corrected: "Nothing found" when logging out when only private links were ↵Sebastien SAUVAGE2013-03-011-1/+1
| | | | | | displayed. This closes the issues https://github.com/sebsauvage/Shaarli/issues/25
* RSS patch for Thunderbird (and some RSS clients).Sébastien SAUVAGE2013-02-281-2/+2
| | | | | | | | | | | In the RSS specifications, the "link" tags contains the URL to follow, and the "guid" contains a unique identifier (which may or may not be an URL). RSS clients should always use "link" to follow the link (and most do), but Thunderbird uses the "guid" if it find a valid URL inside (and only falls back to "link" if "guid" is not an URL). I have patched the RSS feed so that Thunderbird ignores the URL in guid.
* Check that sessions work before installation.Sébastien SAUVAGE2013-02-281-7/+32
| | | | | | This is necessary because some hosts do not have a properly set session.save_path parameter in php config, or do not have write access to the directory.
* Improved token securitySébastien SAUVAGE2013-02-281-1/+1
| | | | | | ...by adding salt. These token are used in form which act on data to prevent CSRF attacks. This closes issue https://github.com/sebsauvage/Shaarli/issues/24
* Corrected thumbnail creation.Sebastien SAUVAGE2013-02-271-0/+1
| | | | | Because some systems do not allow file overwriting when doing a rename().
* Pueril addition of the logo in Readme for GitHub master page.Sébastien SAUVAGE2013-02-271-0/+2
|
* After clicking save/cancel on a link, scroll to the link itself.Sébastien SAUVAGE2013-02-272-0/+3
|
* Edit/delete button on the left-side of links.Sébastien SAUVAGE2013-02-272-7/+26
| | | | https://github.com/sebsauvage/Shaarli/issues/5
* Remove script name from URL if it's index.phpSébastien SAUVAGE2013-02-271-1/+5
| | | | | (for better looking URLs, eg. http://mysite.com/shaarli/?abcde instead of http://mysite.com/shaarli/index.php?abcde)
* Link in description & option to invert link/permalink.Sébastien SAUVAGE2013-02-271-4/+32
| | | | | | | | | | | | | | | | | | | Patch for issue https://github.com/sebsauvage/Shaarli/issues/19 Now: * The (perma)link is added at the bottom of description. * If "permalinks" is added in URL parameters, link/permalinks will be swapped. eg. * Normal link in title + permalink in description: http://mysite.com/shaarli/?do=rss * Permalink in title + normal link in description : http://mysite.com/shaarli/?do=rss&permalinks It works for the ATOM feed too. (Happy ? :-D )
* Support for magnet links in description.Sébastien SAUVAGE2013-02-271-1/+1
|
* Corrected bug in cache purge.Sébastien SAUVAGE2013-02-261-1/+1
|
* Typo correction.Sébastien SAUVAGE2013-02-261-1/+1
|
* Login problem correctionSébastien SAUVAGE2013-02-261-3/+7
| | | | | | This corrects the session problem with some browsers when Shaarli is hosted on a sub-domain. Please tell me if this corrects login problems if you had one.
* Added README.mdSébastien SAUVAGE2013-02-261-0/+69
|
* Added .gitignoreSébastien SAUVAGE2013-02-261-0/+5
|
* Initial commit (version 0.0.40 beta)v0.0.40betaSébastien SAUVAGE2013-02-2648-0/+4412