Commit graph

1571 commits

Author SHA1 Message Date
Christophe HENRY
ae00595b1c A real "Stay signed in": keep the connection
Instead of trusting the php session, it uses a cookie. The php session
sooner or later is distroyed if not used. It depends upon the server
settings. Using a cookie ensures that one really stays signed in.

Dev notes: I wanted to avoid merge conflicts, stay with the main
developper standards and keep the "index.php" in one file. That's why
the code may not be that nice. My own dev level my also explain.
2013-12-05 22:26:04 +01:00
Sébastien SAUVAGE
067e66acfe Corrected overlapping tags 2013-12-04 13:55:42 +01:00
Sébastien SAUVAGE
ab0638edb0 Merge pull request #145 from Alkarex/patch-1
smallHash: simplified and improved performance
2013-11-29 13:01:08 -08:00
Sebastien SAUVAGE
53da201749 XSS flaw correction
Closes issue https://github.com/sebsauvage/Shaarli/issues/134
2013-11-29 21:53:20 +01:00
Alexandre Alapetite
c002ca9c6b smallHash: simplified and improved performance
Unchanged behaviour
2013-11-10 22:50:34 +01:00
TsT
ae22a12b8a uniform if syntax 2013-10-23 23:21:36 +02:00
Sebastien SAUVAGE
7b2186a63e Corrected field focus in bookmarklet
Focus was not properly given to description field when it's empty.
2013-09-27 17:08:31 +02:00
Sébastien SAUVAGE
2d20481e45 Update README.md 2013-09-26 15:17:43 +02:00
Sebastien SAUVAGE
246e9b4e37 Removed jQuery from almost all pages
jQuery has been removed from all pages, except those who really require
it (like autocomplete in link edition).
Immediate gain: All pages weight 286 kb LESS !   \o/
Highlighting in search results has also been temporarly removed (and
will be re-implemented).
2013-09-25 21:27:50 +02:00
Sébastien SAUVAGE
af77b2fd9a New QR-Code generation code
* QR-Code generation now uses a client-side javascript library instead of an external service. This is better for user privacy.
* Library used is http://neocotic.com/qr.js/ (11 kb).
* jQuery is no longer used to display QR-Code (this is a first step in removing jQuery entirely).
* This library is loaded *only* if the QR-Code icon is clicked.
* If javascript is disabled, it will fallback to the external service.
* External service was changed from "invx.com" to "qrfree.kaywa.com" because invx has become bloated.

By loading the javascript library *only* if the icon is clicked, it will prevent the 11 kb lib to be loaded in every page.
2013-09-25 15:17:09 +02:00
Sébastien SAUVAGE
26c9556894 Changed QR-Code CSS (selector and attributes) 2013-09-25 14:58:47 +02:00
Sébastien SAUVAGE
83cff11de5 Added javascript QR-Code library 2013-09-25 14:57:27 +02:00
Sébastien SAUVAGE
58a8f4cab4 Default example private link changed
Default example private link changed from pastebin to ZeroBin.
2013-09-25 10:41:31 +02:00
Sebastien SAUVAGE
c677013b93 Added nb=all to get all links in RSS/ATOM feed. 2013-09-24 22:39:40 +02:00
Sébastien SAUVAGE
eea58b3d5a Merge pull request #87 from LionelMartin/3385af123f6b4dfc59aeaa69f180381307b64368
Added a json_encode implementation for PHP < 5.2 (free.fr)
2013-09-24 02:20:06 -07:00
Sébastien SAUVAGE
3fac0a5257 Added tags+private in shaarli URL
Manually merged pull request https://github.com/sebsauvage/Shaarli/pull/99
2013-09-24 11:17:22 +02:00
Sébastien SAUVAGE
85c0205876 Merge pull request #112 from BoboTiG/master
RSS/Atom: add a parameter to print only the N last links
2013-09-24 02:10:18 -07:00
Sébastien SAUVAGE
0b88c6022d Merge pull request #118 from Alkarex/patch-1
Corrected error message for lack of write access in ./data
2013-09-24 02:07:21 -07:00
Sébastien SAUVAGE
371a6fc2d2 Merge pull request #119 from Alkarex/master
Smaller logo file
2013-09-24 02:06:41 -07:00
Sébastien SAUVAGE
c4bbb01064 Merge pull request #125 from broncowdd/master
Added the possibility to put a description in the bookmarklet's URL
2013-09-24 02:03:26 -07:00
Sébastien SAUVAGE
fdc3c114d1 Merge pull request #126 from Alkarex/Milliseconds
Import: add compatibility for milliseconds in NETSCAPE-Bookmark
2013-09-24 02:02:33 -07:00
Sébastien SAUVAGE
5d48d5d06e Merge pull request #122 from lehollandaisvolant/master
Ajout d’un UA lors de la récupération d’une page externe
2013-09-24 02:01:13 -07:00
Alexandre Alapetite
fc93ae1d1a Import NETSCAPE-Bookmark compatible milliseconds
NETSCAPE-Bookmark sometimes contains dates as milliseconds instead of
seconds.
For instance, this is the case of the files gererated for Google +1s by
Google Takeout.
This patch make these files compatible.
2013-09-21 18:15:41 +02:00
Bronco
3057373a25 Added the possibility to put a description in the bookmarklet's URL 2013-09-16 10:32:02 +02:00
lehollandaisvolant
03545ef691 Ajout d’un UA lors de la récupération d’une page externe (certains site veulent un UA) 2013-09-03 15:55:13 +02:00
Alexandre Alapetite
f0075b1743 Smaller logo file
Better PNG compression of logo file, as produced by Page Speed.
2013-08-23 17:37:59 +02:00
Alexandre Alapetite
ff63b7d111 Corrected error message for lack of write access in ./data 2013-08-23 17:02:15 +02:00
Sebastien SAUVAGE
002ef0e5c8 Better encoding handling in title parsing
Thanks to a patch from Le Hollandais Volant.
2013-08-03 22:10:04 +02:00
Sebastien SAUVAGE
f6a6ca0aec SERVER_NAME changed to HTTP_HOST
SERVER_NAME changed to HTTP_HOST because SERVER_NAME can cause problems
on some misconfigured hosts. HTTP_HOST is usually more reliable with
those servers. (cf.
http://stackoverflow.com/questions/2297403/http-host-vs-server-name).
This should cause less problem on most hosts.
2013-08-03 22:00:09 +02:00
BoboTiG
fbd9e52716 RSS/Atom: add a parameter to print only the N last links 2013-07-26 08:57:19 +02:00
Lionel Martin
3385af123f Added json_encode implementation for php<5.2 2013-05-20 19:00:28 +02:00
Sébastien SAUVAGE
99954e1290 Merge pull request #43 from dsferruzza/highlight-search-results
Highlight search results
2013-03-11 02:11:47 -07:00
Sébastien SAUVAGE
87e3d65023 Merge pull request #42 from matchab/master
Timezone par défaut
2013-03-11 01:59:48 -07:00
Sébastien SAUVAGE
2d21a179b0 Merge pull request #45 from dsferruzza/fix-picwall-bug
Fix picwall bugs
2013-03-11 01:49:50 -07:00
David Sferruzza
f2acdfd14e Move lazyload init inside the body tag 2013-03-10 19:04:48 +01:00
David Sferruzza
a908244cc4 Fix bug producing invalid HTML 2013-03-10 19:03:34 +01:00
David Sferruzza
9da4953190 Avoid highlighting paging stuff 2013-03-10 18:26:16 +01:00
David Sferruzza
1b647ff409 Highlight search results (issue #4)
Uses http://bartaz.github.com/sandbox.js/jquery.highlight.html
2013-03-10 18:24:05 +01:00
Mathieu Chabanon
6e330f2225 Ingore Eclipse project files 2013-03-10 14:16:29 +01:00
Mathieu Chabanon
cb49ab945f Avoid a strict standard error when php.ini do not define the default
timezone.
2013-03-10 14:06:12 +01:00
Sébastien SAUVAGE
310f3ca007 Version 0.0.41 beta 2013-03-08 10:14:31 +01:00
Sébastien SAUVAGE
41a30d9b2d Merge pull request #37 from sebsauvage/CookieDomain
Correction for login problem with webkit browsers on sub-domain hosted Shaarli.
2013-03-08 01:01:40 -08:00
Sebastien SAUVAGE
75e199d606 Correction for login problem with webkit browsers on sub-domain hosted Shaarli. 2013-03-06 23:31:18 +01:00
Sebastien SAUVAGE
979d6334e7 Added second check to write rights.
(Because on some hosts is_writable() is not reliable.)
2013-03-04 21:26:06 +01:00
Sebastien SAUVAGE
f2cb5f95a9 Check that Shaarli has the right to write in its own directory.
Because some user forget to check this at installation.
2013-03-04 21:14:07 +01:00
Sebastien SAUVAGE
8a80e4fe07 Got rid of small display bugs before installation. 2013-03-04 21:02:24 +01:00
Sébastien SAUVAGE
22701e2d0b Merge pull request #30 from Knah-Tsaeb/master
Merged "Private by default" feature (when creating a new link).
2013-03-04 11:49:33 -08:00
bb8f712db6 [add] https://github.com/sebsauvage/Shaarli/issues/20 New links created as private by default. 2013-03-04 10:18:39 +01:00
Sebastien SAUVAGE
dd064cc315 Added https to list of authorized protocols. 2013-03-03 22:49:10 +01:00
Sebastien SAUVAGE
feebc6d466 Corrected vulnerabilities (see report below)
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_

Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)

Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards

Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works

- The url field of a link is vulnerable :

When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link

Or with a classic XSS : "><script>alert(1)</script>

Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer

e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com

History :
March 2, 2013
- Vendor contacted
2013-03-03 22:15:38 +01:00