Commit graph

170 commits

Author SHA1 Message Date
Bronco
b607a4c503 Added the possibility to put a description in the bookmarklet's URL
Conflicts:
	index.php
2013-09-16 12:02:34 +02:00
lehollandaisvolant
fb57aab74d Ajout d’un UA lors de la récupération d’une page externe (certains site veulent un UA) 2013-09-16 11:47:42 +02:00
Bronco
3057373a25 Added the possibility to put a description in the bookmarklet's URL 2013-09-16 10:32:02 +02:00
7e929771eb [upd] link to homepage 2013-09-09 10:44:42 +02:00
ba36c44c5c [add] link to contact page 2013-09-09 10:42:27 +02:00
lehollandaisvolant
03545ef691 Ajout d’un UA lors de la récupération d’une page externe (certains site veulent un UA) 2013-09-03 15:55:13 +02:00
Alexandre Alapetite
f0075b1743 Smaller logo file
Better PNG compression of logo file, as produced by Page Speed.
2013-08-23 17:37:59 +02:00
Alexandre Alapetite
ff63b7d111 Corrected error message for lack of write access in ./data 2013-08-23 17:02:15 +02:00
64f4f387a0 [fix] PHP notice error 2013-08-20 15:01:45 +02:00
588c4e4be4 Merge branch 'master' into myShaarli 2013-08-07 10:11:37 +02:00
256545b392 Merge branch 'master' of git://github.com/sebsauvage/Shaarli 2013-08-07 10:09:53 +02:00
Sebastien SAUVAGE
002ef0e5c8 Better encoding handling in title parsing
Thanks to a patch from Le Hollandais Volant.
2013-08-03 22:10:04 +02:00
Sebastien SAUVAGE
f6a6ca0aec SERVER_NAME changed to HTTP_HOST
SERVER_NAME changed to HTTP_HOST because SERVER_NAME can cause problems
on some misconfigured hosts. HTTP_HOST is usually more reliable with
those servers. (cf.
http://stackoverflow.com/questions/2297403/http-host-vs-server-name).
This should cause less problem on most hosts.
2013-08-03 22:00:09 +02:00
BoboTiG
fbd9e52716 RSS/Atom: add a parameter to print only the N last links 2013-07-26 08:57:19 +02:00
Lionel Martin
3385af123f Added json_encode implementation for php<5.2 2013-05-20 19:00:28 +02:00
12e74779c4 [fix] small bug (bad empty test) 2013-05-03 10:44:24 +02:00
c26d0303ee [fix] background repeat in login page 2013-04-30 16:24:43 +02:00
c2d24b7827 [add] via input 2013-04-30 16:20:54 +02:00
5b82e59b33 Add default background color for thumbshot. 2013-04-02 16:17:11 +02:00
Christophe HENRY
1db7867707 typo 2013-03-29 17:04:15 +01:00
Christophe HENRY
6888cc6f90 Adds a configuration variable "titleLink" which allows to customize the
link on the title.

Conflicts:
	tpl/page.header.html
2013-03-29 16:56:24 +01:00
ed5a80e732 [fix] css background linear 2013-03-29 15:59:19 +01:00
01f59ddf63 Change the tagcloud generation for better variaous size. 2013-03-29 15:51:56 +01:00
4c02d06d57 Merge remote-tracking branch 'master/master' into myShaarli 2013-03-29 15:48:58 +01:00
9550bfe181 Move inline CSS style to shaarli.css 2013-03-29 15:37:44 +01:00
dc420191df Move inline CSS style to shaarli.css 2013-03-29 15:21:32 +01:00
b28f3129ef just change order of few element 2013-03-21 12:24:51 +01:00
e4501035c3 Merge remote-tracking branch 'origin/master' into myShaarli 2013-03-21 10:57:51 +01:00
c98a5f2205 Create a personal themes for Shaarli. 2013-03-20 12:31:27 +01:00
8f2c12ce6a [add] option for use external service for thumbshot 2013-03-19 17:22:50 +01:00
Sébastien SAUVAGE
99954e1290 Merge pull request #43 from dsferruzza/highlight-search-results
Highlight search results
2013-03-11 02:11:47 -07:00
Sébastien SAUVAGE
87e3d65023 Merge pull request #42 from matchab/master
Timezone par défaut
2013-03-11 01:59:48 -07:00
Sébastien SAUVAGE
2d21a179b0 Merge pull request #45 from dsferruzza/fix-picwall-bug
Fix picwall bugs
2013-03-11 01:49:50 -07:00
David Sferruzza
f2acdfd14e Move lazyload init inside the body tag 2013-03-10 19:04:48 +01:00
David Sferruzza
a908244cc4 Fix bug producing invalid HTML 2013-03-10 19:03:34 +01:00
David Sferruzza
9da4953190 Avoid highlighting paging stuff 2013-03-10 18:26:16 +01:00
David Sferruzza
1b647ff409 Highlight search results (issue #4)
Uses http://bartaz.github.com/sandbox.js/jquery.highlight.html
2013-03-10 18:24:05 +01:00
Mathieu Chabanon
6e330f2225 Ingore Eclipse project files 2013-03-10 14:16:29 +01:00
Mathieu Chabanon
cb49ab945f Avoid a strict standard error when php.ini do not define the default
timezone.
2013-03-10 14:06:12 +01:00
Sébastien SAUVAGE
310f3ca007 Version 0.0.41 beta 2013-03-08 10:14:31 +01:00
Sébastien SAUVAGE
41a30d9b2d Merge pull request #37 from sebsauvage/CookieDomain
Correction for login problem with webkit browsers on sub-domain hosted Shaarli.
2013-03-08 01:01:40 -08:00
Sebastien SAUVAGE
75e199d606 Correction for login problem with webkit browsers on sub-domain hosted Shaarli. 2013-03-06 23:31:18 +01:00
Sebastien SAUVAGE
979d6334e7 Added second check to write rights.
(Because on some hosts is_writable() is not reliable.)
2013-03-04 21:26:06 +01:00
Sebastien SAUVAGE
f2cb5f95a9 Check that Shaarli has the right to write in its own directory.
Because some user forget to check this at installation.
2013-03-04 21:14:07 +01:00
Sebastien SAUVAGE
8a80e4fe07 Got rid of small display bugs before installation. 2013-03-04 21:02:24 +01:00
Sébastien SAUVAGE
22701e2d0b Merge pull request #30 from Knah-Tsaeb/master
Merged "Private by default" feature (when creating a new link).
2013-03-04 11:49:33 -08:00
bb8f712db6 [add] https://github.com/sebsauvage/Shaarli/issues/20 New links created as private by default. 2013-03-04 10:18:39 +01:00
Sebastien SAUVAGE
dd064cc315 Added https to list of authorized protocols. 2013-03-03 22:49:10 +01:00
Sebastien SAUVAGE
feebc6d466 Corrected vulnerabilities (see report below)
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_

Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)

Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards

Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works

- The url field of a link is vulnerable :

When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link

Or with a classic XSS : "><script>alert(1)</script>

Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer

e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com

History :
March 2, 2013
- Vendor contacted
2013-03-03 22:15:38 +01:00
Sebastien SAUVAGE
705f8355a9 Proper redirect in popup when login fails.
This corrects issue https://github.com/sebsauvage/Shaarli/issues/10
2013-03-02 14:07:00 +01:00