Knah-Tsaeb/MyShaarli
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
114 commits 8 branches 1 tag 9.7 MiB
Commit graph

67 commits

Author SHA1 Message Date
nodiscc d2f517638c make archive.org integration optional (ARCHIVE_ORG option, defaults to false) 2014-11-08 18:21:19 +01:00
nodiscc 01ec179148 index.html: add warning message about hostname/cookie storage problems 
* Fixes https://github.com/sebsauvage/Shaarli/issues/196
 * Fixes https://github.com/sebsauvage/Shaarli/issues/97
 2014-11-03 13:21:14 +01:00
Emilien Klein 39e41053ad Merge pull request #36 from nodiscc/https-thumbnails 
thumbnails: force HTTPS for youtube, imgur, vimeo
 2014-10-23 20:06:29 +02:00
nodiscc 1a663a0f2c thumbnails: force HTTPS for youtube, imgur, vimeo 
* other services also provide thumbs over HTTPS, but the rewrite expression is more complex, so left out for now
 2014-10-23 18:00:21 +02:00
nodiscc 1099d8fcad Make ATOM toolbar button optional 
* ATOM button display is now configurable using the SHOW_ATOM variable in index.php or data/options.php (defaults to false)
 * Fixes https://github.com/shaarli/Shaarli/issues/24
 2014-10-23 17:47:30 +02:00
nodiscc b11bc5b6f9 update check: check against last version available on github.com/shaarli/Shaarli 
* fixes https://github.com/shaarli/Shaarli/issues/5
 2014-10-21 18:11:16 +02:00
nodiscc 27646ca5b4 add link: in case of empty URL (self-post), prepend "Note: " to the title 
* Thanks to qwertygc (https://github.com/shaarli/Shaarli/pull/23)
 * Fix small typo
 2014-10-21 16:18:25 +02:00
VirtualTam 2f2aa06b95 fix: add missing slash when defining RainTPL's temp dir 
Signed-off-by: VirtualTam <virtualtam@flibidi.org>
 2014-10-19 00:57:41 +02:00
nodiscc e0cbb07872 Merge pull request #19 from nodiscc/master 
bookmarklet: use selected text as description when adding a new link
 2014-08-19 21:52:36 +02:00
Sbgodin abc98ab39d Merge pull request #20 from nodiscc/fix-typos 
Fix grammar, punctuation, spelling, trailing whitepaces and newlines; Fix typo in css
 2014-08-19 21:33:53 +02:00
nodiscc ad6c27b7b8 Fix grammar, punctuation, spelling, trailing whitepaces and newlines; Fix typo in css 
Based on respencer's work at https://github.com/respencer/Shaarli/
Closes https://github.com/sebsauvage/Shaarli/pull/103
 2014-08-19 18:01:15 +02:00
nodiscc a1795ddcf3 bookmarklet: use selected text as description when adding a new link 
* Based on romnGit's work at https://github.com/sebsauvage/Shaarli/pull/104
 * Fixes https://github.com/shaarli/Shaarli/issues/18
 * Closes https://github.com/sebsauvage/Shaarli/pull/104
 * Fixes https://github.com/sebsauvage/Shaarli/issues/53
 * Fixes https://github.com/sebsauvage/Shaarli/issues/129
 * Fixes https://github.com/sebsauvage/Shaarli/issues/33
 2014-08-11 00:13:29 +02:00
Christophe HENRY 3bb684f59f Removes htaccess file creation and adds them in the repository 
I also removed the previously created placeholders, which after all, have no more utility.
 2014-08-04 00:42:49 +02:00
Christophe HENRY e7416aba2c Adds empty directories: cache, data, pagecache and tmp. Removes mkdirs. 
They are still in .gitignore because their future content will still be ignored.
 2014-08-04 00:41:55 +02:00
Christophe HENRY c614a35db8 Removed redundant check on RAINTPL_TMP directory 
The same test is already on line 93
 2014-07-31 23:31:58 +02:00
Christophe HENRY 25f5c59db6 Adds configuration variables, TPL and TMP, for RainTPL 
The path for templates and temporary files are now part of the configuration.

For a custom install, it's possible to put these writable directories elsewhere than in the read-only source code.
 2014-07-31 23:31:58 +02:00
Christophe HENRY ebb2880dfc Adds a configuration variable "titleLink" which allows to customize the 
link on the title.
 2014-07-27 23:32:41 +02:00
Emilien Klein 4ade7393a3 Release version 0.0.42 beta 2014-07-27 22:57:30 +02:00
Christophe HENRY ae00595b1c A real "Stay signed in": keep the connection 
Instead of trusting the php session, it uses a cookie. The php session
sooner or later is distroyed if not used. It depends upon the server
settings. Using a cookie ensures that one really stays signed in.

Dev notes: I wanted to avoid merge conflicts, stay with the main
developper standards and keep the "index.php" in one file. That's why
the code may not be that nice. My own dev level my also explain.
 2013-12-05 22:26:04 +01:00
Sébastien SAUVAGE ab0638edb0 Merge pull request #145 from Alkarex/patch-1 
smallHash: simplified and improved performance
 2013-11-29 13:01:08 -08:00
Sebastien SAUVAGE 53da201749 XSS flaw correction 
Closes issue https://github.com/sebsauvage/Shaarli/issues/134
 2013-11-29 21:53:20 +01:00
Alexandre Alapetite c002ca9c6b smallHash: simplified and improved performance 
Unchanged behaviour
 2013-11-10 22:50:34 +01:00
Sebastien SAUVAGE 7b2186a63e Corrected field focus in bookmarklet 
Focus was not properly given to description field when it's empty.
 2013-09-27 17:08:31 +02:00
Sébastien SAUVAGE 58a8f4cab4 Default example private link changed 
Default example private link changed from pastebin to ZeroBin.
 2013-09-25 10:41:31 +02:00
Sebastien SAUVAGE c677013b93 Added nb=all to get all links in RSS/ATOM feed. 2013-09-24 22:39:40 +02:00
Sébastien SAUVAGE eea58b3d5a Merge pull request #87 from LionelMartin/3385af123f6b4dfc59aeaa69f180381307b64368 
Added a json_encode implementation for PHP < 5.2 (free.fr)
 2013-09-24 02:20:06 -07:00
Sébastien SAUVAGE 3fac0a5257 Added tags+private in shaarli URL 
Manually merged pull request https://github.com/sebsauvage/Shaarli/pull/99
 2013-09-24 11:17:22 +02:00
Sébastien SAUVAGE 85c0205876 Merge pull request #112 from BoboTiG/master 
RSS/Atom: add a parameter to print only the N last links
 2013-09-24 02:10:18 -07:00
Sébastien SAUVAGE 0b88c6022d Merge pull request #118 from Alkarex/patch-1 
Corrected error message for lack of write access in ./data
 2013-09-24 02:07:21 -07:00
Sébastien SAUVAGE c4bbb01064 Merge pull request #125 from broncowdd/master 
Added the possibility to put a description in the bookmarklet's URL
 2013-09-24 02:03:26 -07:00
Sébastien SAUVAGE fdc3c114d1 Merge pull request #126 from Alkarex/Milliseconds 
Import: add compatibility for milliseconds in NETSCAPE-Bookmark
 2013-09-24 02:02:33 -07:00
Alexandre Alapetite fc93ae1d1a Import NETSCAPE-Bookmark compatible milliseconds 
NETSCAPE-Bookmark sometimes contains dates as milliseconds instead of
seconds.
For instance, this is the case of the files gererated for Google +1s by
Google Takeout.
This patch make these files compatible.
 2013-09-21 18:15:41 +02:00
Bronco 3057373a25 Added the possibility to put a description in the bookmarklet's URL 2013-09-16 10:32:02 +02:00
lehollandaisvolant 03545ef691 Ajout d’un UA lors de la récupération d’une page externe (certains site veulent un UA) 2013-09-03 15:55:13 +02:00
Alexandre Alapetite ff63b7d111 Corrected error message for lack of write access in ./data 2013-08-23 17:02:15 +02:00
Sebastien SAUVAGE 002ef0e5c8 Better encoding handling in title parsing 
Thanks to a patch from Le Hollandais Volant.
 2013-08-03 22:10:04 +02:00
Sebastien SAUVAGE f6a6ca0aec SERVER_NAME changed to HTTP_HOST 
SERVER_NAME changed to HTTP_HOST because SERVER_NAME can cause problems
on some misconfigured hosts. HTTP_HOST is usually more reliable with
those servers. (cf.
http://stackoverflow.com/questions/2297403/http-host-vs-server-name).
This should cause less problem on most hosts.
 2013-08-03 22:00:09 +02:00
BoboTiG fbd9e52716 RSS/Atom: add a parameter to print only the N last links 2013-07-26 08:57:19 +02:00
Lionel Martin 3385af123f Added json_encode implementation for php<5.2 2013-05-20 19:00:28 +02:00
Sébastien SAUVAGE 87e3d65023 Merge pull request #42 from matchab/master 
Timezone par défaut
 2013-03-11 01:59:48 -07:00
David Sferruzza a908244cc4 Fix bug producing invalid HTML 2013-03-10 19:03:34 +01:00
Mathieu Chabanon cb49ab945f Avoid a strict standard error when php.ini do not define the default 
timezone.
 2013-03-10 14:06:12 +01:00
Sébastien SAUVAGE 310f3ca007 Version 0.0.41 beta 2013-03-08 10:14:31 +01:00
Sebastien SAUVAGE 75e199d606 Correction for login problem with webkit browsers on sub-domain hosted Shaarli. 2013-03-06 23:31:18 +01:00
Sebastien SAUVAGE 979d6334e7 Added second check to write rights. 
(Because on some hosts is_writable() is not reliable.)
 2013-03-04 21:26:06 +01:00
Sebastien SAUVAGE f2cb5f95a9 Check that Shaarli has the right to write in its own directory. 
Because some user forget to check this at installation.
 2013-03-04 21:14:07 +01:00
Sebastien SAUVAGE 8a80e4fe07 Got rid of small display bugs before installation. 2013-03-04 21:02:24 +01:00
Knah Tsaeb bb8f712db6 [add] https://github.com/sebsauvage/Shaarli/issues/20 New links created as private by default. 2013-03-04 10:18:39 +01:00
Sebastien SAUVAGE dd064cc315 Added https to list of authorized protocols. 2013-03-03 22:49:10 +01:00
Sebastien SAUVAGE feebc6d466 Corrected vulnerabilities (see report below) 
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_

Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)

Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards

Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works

- The url field of a link is vulnerable :

When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link

Or with a classic XSS : "><script>alert(1)</script>

Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer

e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com

History :
March 2, 2013
- Vendor contacted
 2013-03-03 22:15:38 +01:00