Don't follow urls to external sites when submitting forms from the
settings modules. This mitigates an Open Redirect vulnerability where an
attacker could trick a user to go to an attacker controlled destination.
Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
Escape URLs provided by the rpath query param in settings modules. This
prevents a possible Cross-Site scripting vulnerability, where an
attacker could inject web scripts and html into the settings form via
the rpath query parameter, and have a user execute the script by
tricking them to clicking a link.
Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
The escaping makes the URL safe for display and for use in HTML element
attributes (such as href="..." etc), but does not guarantee that the URL
itself is valid after conversion. This should be good enough for
mitigating XSS issues caused by injecting html or javascript into a URL.
Also probably good enough for _most_ normal URLs, but there may be
devils hidden in the details somewhere.
Limit valid chars in schema names, and discard attempts at loading
schemas with invalid names.
This prevents a local file inclusion vulnerability where an
unauthenticated attacker can include arbitrary php files readable by the
server process and potentially obtain remote code execution.
Valid schema names may consist of ascii letters, numbers, hyphens and
underscores. Should be good enough for most cases, I think.
Fixes https://framagit.org/hubzilla/core/-/issues/1665
When trying to fetch an image file from the Cloud module, the default
nginx config will add a trailing & if there's no args specified.
Example:
https://example.com/cloud/username/some_image.png
This will be rewritten to:
https://example.com/index.php?q=/cloud/username/some_image.png&
This in turn will cause the Cloud module to try to redirect back to the
original because it does not match the query_string (in which the
ampersand has been converted to a question mark). And this will repeat
until the browser get's tired of it.
This is a color only stylesheet, modifying the original Bootstrap colors
to a dark variant. Insert this as base before the redbasic dark schema
modifications, and any custom modifications to have a nicer base for the
dark schema.
Use z_root instead of script_path when formatting stylesheet and
javascript links for the head section. script_path does not preserve
information about the port if the site uses a nonstandard port.
Typo in Setup.php prevents users from using Postgres
See merge request hubzilla/core!2014
(cherry picked from commit 0e2e932102)
d384f55d Typo in Setup.php prevents users from using Postgres
