Commit graph

159 commits

Author SHA1 Message Date
VirtualTam
7a9daac56d API: fix JWT signature verification
Fixes https://github.com/shaarli/Shaarli/issues/737

Added:
- Base64Url utilities

Fixed:
- use URL-safe Base64 encoding/decoding functions
- use byte representations for HMAC digests
- all JWT parts are Base64Url-encoded

See:
- https://en.wikipedia.org/wiki/JSON_Web_Token
- https://tools.ietf.org/html/rfc7519
- https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
- https://jwt.io/introduction/
- https://en.wikipedia.org/wiki/Base64#URL_applications
- https://secure.php.net/manual/en/function.base64-encode.php#103849

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-01-04 16:59:47 +01:00
Arthur
fc11ab2f29 Merge pull request #682 from ArthurHoaro/delete-button
Bugfixes on link deletion, and use a GET form
2017-01-04 16:35:29 +01:00
Arthur
061f04fba0 Merge pull request #733 from ArthurHoaro/hotfix/reverse-proxy-port
Hide default ports in local URL behind a reverse proxy
2017-01-04 16:34:06 +01:00
VirtualTam
eaf2524887 URL cleanup: add 'campaign_' to the annoying parameters
Closes https://github.com/shaarli/Shaarli/issues/735

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-01-04 11:42:05 +01:00
ArthurHoaro
8e4be77368 Hide default port in local URL behind a reverse proxy 2017-01-03 14:17:05 +01:00
ArthurHoaro
b3051a6aae Fixes presence of empty tags for private tags and in search results
* Private tags: make sure empty tags are properly filtered
  * Search results:
    * Use preg_split instead of function combination
    * Add normalize_spaces to remove extra whitespaces displaying empty tags search
2017-01-03 09:47:15 +01:00
ArthurHoaro
db90dfcbbc Move PubSubHubbub code as a default plugin 2016-12-20 11:41:24 +01:00
ArthurHoaro
f4ebd5fed2 Bugfixes on link deletion, and use a GET form
Use a GET form to delete links: harmonize with edit_link and preparation for #585

Bug fixes:

  * LinkDB element can't be passed as reference, fix error:

    PHP Notice:  Indirect modification of overloaded element of LinkDB has no effect

  * Resource cache folder setting wasn't set correctly
2016-12-16 12:42:13 +01:00
ArthurHoaro
18e6796726 REST API structure using Slim framework
* REST API routes are handle by Slim.
  * Every API controller go through ApiMiddleware which handles security.
  * First service implemented `/info`, for tests purpose.
2016-12-15 10:36:00 +01:00
ArthurHoaro
cbfdcff261 Prepare settings for the API in the admin page and during the install
API settings:
   - api.enabled
   - api.secret

The API settings will be initialized (and the secret generated) with an update method.
2016-12-12 03:54:10 +01:00
ArthurHoaro
d592daea83 Add a persistent 'shorturl' key to all links
All existing link will keep their permalinks.
New links will have smallhash generated with date+id.

The purpose of this is to avoid collision between links due to their creation date.
2016-12-12 03:03:12 +01:00
ArthurHoaro
01878a75b9 Apply the new ID system accros the whole codebase 2016-12-12 03:03:12 +01:00
ArthurHoaro
1dc37f9cf8 Update method to use the new ID system, which replaces linkdate primary keys.
creation and update dates are now DateTime objects.
Since this update is very sensitve (changing the whole database), the datastore will be automatically backed up into the file datastore.<datetime>.php.
2016-12-12 03:02:01 +01:00
ArthurHoaro
29d108820f Link ID refactoring
Links now use an incremental unique numeric identifier.
    This ID is persistent and must never change.

    ArrayAccess is used to match the link ID with the array keys (see the comment in LinkDB for more details)

    Key 'created' added, with creation date as a DateTime object. 'updated' is now also a DateTime.
2016-12-12 03:02:01 +01:00
ArthurHoaro
5ebc1d504b .htaccess files: support Apache 2.4+ syntax
If `mod_version` is enabled, the previous syntax will apply for Apache <2.4.
If not, the new syntax is used by default.

Fixes #676

`mod_version` identifier is `version_module` across all Apache versions. See:

  * https://httpd.apache.org/docs/current/mod/mod_version.html
  * https://httpd.apache.org/docs/2.2/mod/mod_version.html
  * https://serverfault.com/questions/733910/how-do-i-load-mod-version-only-if-it-isnt-built-in-to-apache

Note that version_module comes built-in with Debian (and derivatives) Apache2 packages, see https://wiki.debian.org/Apache/PackagingFor24
2016-11-08 11:38:14 +01:00
VirtualTam
3d5e0aede3 Merge pull request #673 from virtualtam/cleanup/linkdb
LinkDB: code cleanup
2016-10-21 11:04:52 +02:00
VirtualTam
954dc2446c Merge pull request #665 from ArthurHoaro/fix/feed-hashtags
Fix hashtag links in Feeds
2016-10-20 21:37:28 +02:00
VirtualTam
735ed4a94e LinkDB: explicit method visibility
Relates to https://github.com/shaarli/Shaarli/issues/95

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2016-10-20 21:33:42 +02:00
VirtualTam
f21abf3292 LinkDB: update datastore method names
Relates to https://github.com/shaarli/Shaarli/issues/95

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2016-10-20 21:33:40 +02:00
VirtualTam
628b97cbdf LinkDB: do not prefix privates with an underscore
Relates to #95

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2016-10-20 21:10:56 +02:00
ArthurHoaro
fbc28ff1c8 Fix hashtags links in Feeds
Make the hashtag link absolute in feeds to work properly in RSS syndication tools.
2016-10-20 11:42:01 +02:00
ArthurHoaro
7af9a41881 Minor code cleanup: PHPDoc, spelling, unused variables, etc. 2016-10-20 11:36:11 +02:00
VirtualTam
8406a4b670 Merge pull request #662 from virtualtam/fix/feed/self-link
Fix: return the proper value for the "self" feed attribute
2016-10-17 17:58:39 +02:00
VirtualTam
44a718090d Fix: return the proper value for the "self" feed attribute
Fixes https://github.com/shaarli/Shaarli/issues/629
Closes https://github.com/shaarli/Shaarli/pull/630

Note: you might need to empty the "pagecache" directory for the
fix to be taken into account

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2016-10-16 20:58:15 +02:00
ArthurHoaro
7fde6de121 New init function for plugins, supports errors reporting
All plugins can optionally add an init function named `pluginname_init()` which is called when the plugin is loaded.

This function is aware of the config, and can return initialization errors, which are displayed in the header template.

Note that the previous error system hack no longer work.
2016-10-14 13:22:58 +02:00
Arthur
0354257266 Merge pull request #622 from ArthurHoaro/update-date
Save link update dates and render it in templates and feeds
2016-10-12 14:51:37 +02:00
Arthur
adcdac1dec Merge pull request #623 from ArthurHoaro/security/reverse-proxy-ban
Add trusted IPs in config and try to ban forwarded IP on failed login
2016-10-12 14:48:57 +02:00
VirtualTam
8758bb0ac8 Merge pull request #619 from ArthurHoaro/plugins/param-desc
Add a description to plugin parameters
2016-08-13 14:48:51 +02:00
VirtualTam
db6dec0de1 Fix: add missing final newlines, untabify text
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2016-08-13 14:22:22 +02:00
VirtualTam
f4ad7bde56 Fix: ensure Internet Explorer bookmark dumps can be imported
Relates to https://github.com/shaarli/Shaarli/issues/607

Modifications:
- [application][tests] NetscapeBookmarkUtils: more permissive doctype detection

The IE bookmark exports contain extra escape sequences, which can be observed
by binary comparison of the reference input data used in tests:

   $ cmp -b -l -n 8 netscape_basic.htm internet_explorer_encoding.htm

   1  74 <    357 M-o
   2  41 !    273 M-;
   3 104 D    277 M-?
   4 117 O     74 <
   5 103 C     41 !
   6 124 T    104 D
   7 131 Y    117 O
   8 120 P    103 C

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2016-08-12 23:22:15 +02:00
VirtualTam
a973afeac7 Refactor bookmark import using a generic Netscape parser
Relates to #607
Relates to #608
Relates to #493 (abandoned)

Additions:
- use Composer's autoload to load 3rd-party dependencies under vendor/

Modifications:
- [import] replace the current parser with a generic, stable parser
  - move code to application/NetscapeBookmarkUtils
  - improve status report after parsing
- [router] use the same endpoint for both bookmark upload and import dialog
- [template] update bookmark import options
  - allow adding tags to all imported links
  - allow selecting the visibility (privacy) of imported links
- [tests] ensure bookmarks are properly parsed and imported in the LinkDB
  - reuse reference input from the parser's test data

See:
- https://github.com/shaarli/netscape-bookmark-parser
- https://getcomposer.org/doc/01-basic-usage.md#autoloading

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2016-08-10 01:42:44 +02:00
Arthur
d0d3623172 Merge pull request #624 from julienCXX/pr-curl-http-fetch
Added (and set as default) a cURL-based method for fetching HTTP content
2016-08-09 13:15:19 +02:00
julienCXX
634783f916 Set cURL as default in HTTP fetching, a fallback method and consistency fixup between both methods 2016-08-08 20:45:50 +02:00
ArthurHoaro
edf3ff5a53 Initialize a translation function
It matches the API of ngettext().
2016-08-07 11:54:39 +02:00
ArthurHoaro
fd5ac47ea2 Generate a token for every pages 2016-08-06 14:09:26 +02:00
ArthurHoaro
50d1791838 Add trusted IPs in config and try to ban forwarded IP on failed login
* Add a new settings (which needs to be manually set): `security.trusted_proxies`
  * On login failure, if the `REMOTE_ADDR` is in the trusted proxies, try to retrieve the forwarded IP in headers.
  * If found, the client address is added in ipbans, else we do nothing.

Fixes #409
2016-08-03 10:36:47 +02:00
ArthurHoaro
c6d876bb2a Set updated date for items in feeds
RSS doesn't support updated date for items, so we use the ATOM extension.
Updated dates also bump the global update
2016-08-03 09:54:57 +02:00
ArthurHoaro
9646b7da22 Save the update date in LinkDB and pass it to linklist templates
It can be used as a timestamp by templates under the key 'updated_timestamp'.
2016-08-03 09:44:04 +02:00
VirtualTam
c7a42ab1d9 Merge pull request #621 from ArthurHoaro/hotfix/update-escape-config
Fix update method escapeUnescapedConfig
2016-08-02 19:46:47 +02:00
ArthurHoaro
b9f8b83790 Fix update method escapeUnescapedConfig
* Actually run it
  * unit tests

Fixes #611
2016-08-02 12:54:55 +02:00
ArthurHoaro
15170b5164 Parse plugin parameters description with the PluginManager
Plugin parameter can contain a description in their meta file under the key:

    parameter.<param_name>="<description>"
2016-08-02 11:12:01 +02:00
ArthurHoaro
9866b40814 Better whitespace handling in tags
Correct PR #573 to work properly with hidden tags, and add ReferenceLinkDB UT.

Fixes #571 - Closes #573
2016-08-02 10:34:21 +02:00
Chris Kuethe
4b35853d68 Better whitespace handling in tags. Fixes #571 2016-08-02 10:22:18 +02:00
ArthurHoaro
97ef33bb72 Fixes #600 - Shaarli's title is not set with the new config manager
- Fixed title config key
  - Page title (in head tag) is no longer set through the config manager
2016-07-19 18:03:09 +02:00
Arthur
0c4c7ae818 Merge pull request #558 from ArthurHoaro/hashtag4
Hashtag system
2016-07-09 07:36:23 +02:00
Arthur
649af5b501 Merge pull request #570 from ArthurHoaro/config-manager
Introduce a configuration manager
2016-07-09 07:19:48 +02:00
ArthurHoaro
5ff23f02b8 Add closing PHP tags to JSON config files 2016-06-20 18:30:37 +02:00
ArthurHoaro
b302c77c74 Pass the configuration manager to templates 2016-06-15 18:22:19 +02:00
ArthurHoaro
894a3c4bf3 Rename configuration key for better sections 2016-06-11 09:30:56 +02:00
ArthurHoaro
51def0d849 PluginManager no longer uses singleton pattern 2016-06-11 09:30:56 +02:00