| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
* Fixes https://github.com/sebsauvage/Shaarli/issues/196
* Fixes https://github.com/sebsauvage/Shaarli/issues/97
|
|\
| |
| | |
thumbnails: force HTTPS for youtube, imgur, vimeo
|
| |
| |
| |
| | |
* other services also provide thumbs over HTTPS, but the rewrite expression is more complex, so left out for now
|
|/
|
|
|
| |
* ATOM button display is now configurable using the SHOW_ATOM variable in index.php or data/options.php (defaults to false)
* Fixes https://github.com/shaarli/Shaarli/issues/24
|
|
|
|
| |
* fixes https://github.com/shaarli/Shaarli/issues/5
|
|
|
|
|
| |
* Thanks to qwertygc (https://github.com/shaarli/Shaarli/pull/23)
* Fix small typo
|
|
|
|
| |
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
|
|\
| |
| | |
bookmarklet: use selected text as description when adding a new link
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Based on romnGit's work at https://github.com/sebsauvage/Shaarli/pull/104
* Fixes https://github.com/shaarli/Shaarli/issues/18
* Closes https://github.com/sebsauvage/Shaarli/pull/104
* Fixes https://github.com/sebsauvage/Shaarli/issues/53
* Fixes https://github.com/sebsauvage/Shaarli/issues/129
* Fixes https://github.com/sebsauvage/Shaarli/issues/33
|
|\ \
| | |
| | | |
Fix grammar, punctuation, spelling, trailing whitepaces and newlines; Fix typo in css
|
| |/
| |
| |
| |
| |
| |
| | |
typo in css
Based on respencer's work at https://github.com/respencer/Shaarli/
Closes https://github.com/sebsauvage/Shaarli/pull/103
|
| |
| |
| |
| | |
I also removed the previously created placeholders, which after all, have no more utility.
|
| |
| |
| |
| | |
They are still in .gitignore because their future content will still be ignored.
|
| |
| |
| |
| | |
The same test is already on line 93
|
|/
|
|
|
|
| |
The path for templates and temporary files are now part of the configuration.
For a custom install, it's possible to put these writable directories elsewhere than in the read-only source code.
|
|
|
|
| |
link on the title.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of trusting the php session, it uses a cookie. The php session
sooner or later is distroyed if not used. It depends upon the server
settings. Using a cookie ensures that one really stays signed in.
Dev notes: I wanted to avoid merge conflicts, stay with the main
developper standards and keep the "index.php" in one file. That's why
the code may not be that nice. My own dev level my also explain.
|
|\
| |
| | |
smallHash: simplified and improved performance
|
| |
| |
| | |
Unchanged behaviour
|
|/
|
|
| |
Closes issue https://github.com/sebsauvage/Shaarli/issues/134
|
|
|
|
| |
Focus was not properly given to description field when it's empty.
|
|
|
| |
Default example private link changed from pastebin to ZeroBin.
|
| |
|
|\
| |
| |
| |
| | |
LionelMartin/3385af123f6b4dfc59aeaa69f180381307b64368
Added a json_encode implementation for PHP < 5.2 (free.fr)
|
| | |
|
| |
| |
| | |
Manually merged pull request https://github.com/sebsauvage/Shaarli/pull/99
|
|\ \
| | |
| | | |
RSS/Atom: add a parameter to print only the N last links
|
| |/ |
|
|\ \
| | |
| | | |
Corrected error message for lack of write access in ./data
|
| | | |
|
|\ \ \
| | | |
| | | | |
Added the possibility to put a description in the bookmarklet's URL
|
| |/ / |
|
|\ \ \
| | | |
| | | | |
Import: add compatibility for milliseconds in NETSCAPE-Bookmark
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
NETSCAPE-Bookmark sometimes contains dates as milliseconds instead of
seconds.
For instance, this is the case of the files gererated for Google +1s by
Google Takeout.
This patch make these files compatible.
|
|/ /
| |
| |
| | |
site veulent un UA)
|
| |
| |
| |
| | |
Thanks to a patch from Le Hollandais Volant.
|
|/
|
|
|
|
|
|
| |
SERVER_NAME changed to HTTP_HOST because SERVER_NAME can cause problems
on some misconfigured hosts. HTTP_HOST is usually more reliable with
those servers. (cf.
http://stackoverflow.com/questions/2297403/http-host-vs-server-name).
This should cause less problem on most hosts.
|
|\
| |
| | |
Timezone par défaut
|
| |
| |
| | |
timezone.
|
|/ |
|
| |
|
| |
|
|
|
|
| |
(Because on some hosts is_writable() is not reliable.)
|
|
|
|
| |
Because some user forget to check this at installation.
|
| |
|
|
|
|
| |
private by default.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_
Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)
Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards
Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works
- The url field of a link is vulnerable :
When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link
Or with a classic XSS : "><script>alert(1)</script>
Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer
e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com
History :
March 2, 2013
- Vendor contacted
|
|
|
|
| |
This corrects issue https://github.com/sebsauvage/Shaarli/issues/10
|