| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Focus was not properly given to description field when it's empty.
|
|
|
| |
Default example private link changed from pastebin to ZeroBin.
|
| |
|
|\
| |
| |
| |
| | |
LionelMartin/3385af123f6b4dfc59aeaa69f180381307b64368
Added a json_encode implementation for PHP < 5.2 (free.fr)
|
| | |
|
| |
| |
| | |
Manually merged pull request https://github.com/sebsauvage/Shaarli/pull/99
|
|\ \
| | |
| | | |
RSS/Atom: add a parameter to print only the N last links
|
| |/ |
|
|\ \
| | |
| | | |
Corrected error message for lack of write access in ./data
|
| | | |
|
|\ \ \
| | | |
| | | | |
Added the possibility to put a description in the bookmarklet's URL
|
| |/ / |
|
|\ \ \
| | | |
| | | | |
Import: add compatibility for milliseconds in NETSCAPE-Bookmark
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
NETSCAPE-Bookmark sometimes contains dates as milliseconds instead of
seconds.
For instance, this is the case of the files gererated for Google +1s by
Google Takeout.
This patch make these files compatible.
|
|/ /
| |
| |
| | |
site veulent un UA)
|
| |
| |
| |
| | |
Thanks to a patch from Le Hollandais Volant.
|
|/
|
|
|
|
|
|
| |
SERVER_NAME changed to HTTP_HOST because SERVER_NAME can cause problems
on some misconfigured hosts. HTTP_HOST is usually more reliable with
those servers. (cf.
http://stackoverflow.com/questions/2297403/http-host-vs-server-name).
This should cause less problem on most hosts.
|
|\
| |
| | |
Timezone par défaut
|
| |
| |
| | |
timezone.
|
|/ |
|
| |
|
| |
|
|
|
|
| |
(Because on some hosts is_writable() is not reliable.)
|
|
|
|
| |
Because some user forget to check this at installation.
|
| |
|
|
|
|
| |
private by default.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_
Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)
Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards
Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works
- The url field of a link is vulnerable :
When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link
Or with a classic XSS : "><script>alert(1)</script>
Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer
e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com
History :
March 2, 2013
- Vendor contacted
|
|
|
|
| |
This corrects issue https://github.com/sebsauvage/Shaarli/issues/10
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Shaarli uses light Javascript in its normal operation, and some jQuery
for some features (autocomplete in tags, QR-Code popup...).
jQuery can be slow on small computers. An option has been added in
configuration screen to disable javascript features which are hard on
CPU.
(Note that the Picture Wall is awfully heavy *without* jQuery.)
(Side note: A *LOT* of users want Shaarli to work without javasript at
all, if possible. That's why I try to use as few javascript as possible:
It keeps Shaarli pages fast.)
|
| |
|
| |
|
|
|
|
|
|
| |
displayed.
This closes the issues https://github.com/sebsauvage/Shaarli/issues/25
|
|
|
|
|
|
|
|
|
|
|
| |
In the RSS specifications, the "link" tags contains the URL to follow,
and the "guid" contains a unique identifier (which may or may not be an
URL).
RSS clients should always use "link" to follow the link (and most do),
but Thunderbird uses the "guid" if it find a valid URL inside (and only
falls back to "link" if "guid" is not an URL).
I have patched the RSS feed so that Thunderbird ignores the URL in guid.
|
|
|
|
|
|
| |
This is necessary because some hosts do not have a properly set
session.save_path parameter in php config, or do not have write access
to the directory.
|
|
|
|
|
|
| |
...by adding salt. These token are used in form which act on data to
prevent CSRF attacks.
This closes issue https://github.com/sebsauvage/Shaarli/issues/24
|
|
|
|
|
| |
Because some systems do not allow file overwriting when doing a
rename().
|
| |
|
|
|
|
|
| |
(for better looking URLs, eg. http://mysite.com/shaarli/?abcde instead
of http://mysite.com/shaarli/index.php?abcde)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch for issue https://github.com/sebsauvage/Shaarli/issues/19
Now:
* The (perma)link is added at the bottom of description.
* If "permalinks" is added in URL parameters, link/permalinks will be
swapped.
eg.
* Normal link in title + permalink in description:
http://mysite.com/shaarli/?do=rss
* Permalink in title + normal link in description :
http://mysite.com/shaarli/?do=rss&permalinks
It works for the ATOM feed too.
(Happy ? :-D )
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This corrects the session problem with some browsers when Shaarli is
hosted on a sub-domain. Please tell me if this corrects login problems
if you had one.
|
|
|