Commit graph

23 commits

Author SHA1 Message Date
VirtualTam
9d9f6d75b9 lint: fix line-length warnings
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-12-02 22:39:16 +01:00
VirtualTam
f211e417bf lint: apply phpcbf to application/
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-12-02 22:39:16 +01:00
VirtualTam
88110550b8 Refactor client session hijacking protection
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-05-29 22:53:54 +02:00
ArthurHoaro
d449f79a0d
Merge pull request #977 from ArthurHoaro/feature/dl-filter
Extract the title/charset during page download, and check content type
2018-01-23 18:41:38 +01:00
ArthurHoaro
101b935de4
Merge pull request #1025 from ArthurHoaro/hotfix/proxy-443
Force HTTPS if the original port is 443 behind a reverse proxy
2017-12-03 12:46:43 +01:00
ArthurHoaro
8e9fc6f6e6 Force HTTPS if the original port is 443 behind a reverse proxy
Fixes #1022
2017-12-02 15:24:35 +01:00
ArthurHoaro
91c807d275 Increase buffer size for cURL download
1kB chunk size has caused me a lot of trouble with Travis which wasn't completing the download
2017-11-11 16:49:57 +01:00
ArthurHoaro
d65342e304 Extract the title/charset during page download, and check content type
Use CURLOPT_WRITEFUNCTION to check the response code and content type (only allow HTML).
Also extract the title and charset during downloading chunk of data, and stop it when everything has been extracted.

Closes #579
2017-10-28 14:35:49 +02:00
ArthurHoaro
a3130d2c2f Make work behind a reverse proxy
Without HTTP_X_FORWARDED_PORT check,  might be set to false even though the user is using HTTPS, thus disabling Firefox Social block display
2017-09-02 13:50:49 +02:00
Stephen Muth
b80315e238 Respect HTTP_X_FORWARDED_HOST
alongside _PORT and _PROTO
Fixes #879
2017-07-08 00:01:03 +00:00
VirtualTam
ee6f4b64a9 Cleanup: use safe boolean comparisons
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-01-07 14:37:40 +01:00
ArthurHoaro
8e4be77368 Hide default port in local URL behind a reverse proxy 2017-01-03 14:17:05 +01:00
Arthur
adcdac1dec Merge pull request #623 from ArthurHoaro/security/reverse-proxy-ban
Add trusted IPs in config and try to ban forwarded IP on failed login
2016-10-12 14:48:57 +02:00
julienCXX
634783f916 Set cURL as default in HTTP fetching, a fallback method and consistency fixup between both methods 2016-08-08 20:45:50 +02:00
ArthurHoaro
50d1791838 Add trusted IPs in config and try to ban forwarded IP on failed login
* Add a new settings (which needs to be manually set): `security.trusted_proxies`
  * On login failure, if the `REMOTE_ADDR` is in the trusted proxies, try to retrieve the forwarded IP in headers.
  * If found, the client address is added in ipbans, else we do nothing.

Fixes #409
2016-08-03 10:36:47 +02:00
ArthurHoaro
5046bcb6ab Fix startsWith and endsWith case 2016-05-10 23:31:41 +02:00
ArthurHoaro
caa69b5853 typo 2016-05-05 13:28:43 +02:00
ArthurHoaro
ce7b0b6480 Fixes #531 - Title retrieving is failing with multiple use case
see https://github.com/shaarli/Shaarli/issues/531 for details
2016-05-03 19:51:29 +02:00
ArthurHoaro
85244fa0d0 Fixes #477: support multi reverse proxy with comma syntax
Going through multiple reverse proxy will store multiple scheme and port in HTTP header separated by a comma. Shaarli will use the first one to generate server_url.
2016-02-28 16:24:18 +01:00
VirtualTam
fc17813bd1 tests: add a make target to check file permissions
Additions:
- [makefile] check versioned files are not executable
- [travis]   call the new make target

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2016-01-17 21:02:24 +01:00
ArthurHoaro
1557cefbd7 Fixes #410 - Retrieve title fails in multiple cases
* `get_http_url()` renamed to `get_http_response()`.
  * Use the same HTTP context to retrieve response headers and content.
  * Follow HTTP 301 and 302 redirections to retrieve the title (default max 3 redirections).
  * Add `LinkUtils` to extract titles and charset.
  * Try to retrieve charset from HTTP headers first (new), then HTML content.
  * Use mb_string to re-encode title if necessary.
2016-01-11 21:19:31 +01:00
VirtualTam
482d67bd52 HTTP: move server URL functions to HttpUtils.php
Relates to #333

Modifications:
 - refactor server URL utility functions
 - do not access global `$_SERVER` variables
 - add test coverage
 - improve readability
 - apply coding conventions

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2015-09-14 20:27:16 +02:00
VirtualTam
451314eb48 HTTP: move utils to a proper file, add tests
Relates to #333

Modifications:
 - move HTTP utils to 'application/HttpUtils.php'
 - simplify logic
   - replace 'http_parse_headers_shaarli' by built-in 'get_headers()'
   - remove superfluous '$status' parameter (provided by the HTTP headers)
 - apply coding conventions
 - add test coverage (unitary only)

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2015-09-06 19:30:26 +02:00