David Taylor
d237da16c5
SECURITY: Restrict message-bus access on login_required sites
2019-08-14 10:11:28 +01:00
Gerhard Schlager
ab3e18090f
FIX: Disallow user self-delete when user posted in PMs
...
All posts created by the user are counted unless they are deleted,
belong to a PM sent between a non-human user and the user or belong
to a PM created by the user which doesn't have any other recipients.
It also makes the guardian prevent self-deletes when SSO is enabled.
2019-08-10 12:06:40 +02:00
Roman Rizzi
0be47023d4
FIX: Use unescaped title as combo-box id ( #7979 )
2019-08-08 12:52:34 -03:00
David Taylor
b1d2e4daf3
FIX: Composer preview on IE11 ( #7970 )
...
Add the Array.from polyfill for IE11. This is required to support the transpiled ES6 spread syntex generated by babel: https://babeljs.io/docs/en/caveats/
2019-08-05 14:44:13 +01:00
Sam Saffron
c587df7e2a
Revert "FEATURE: add Noindex to robots.txt for disallowed routes"
...
This reverts commit d84256a876
.
This is not supported by Google and causes robots.txt to be flagged as
invalid
Removing Noindex
2019-07-30 11:37:00 +10:00
David Taylor
85cdf213e1
FIX: Hide live-loaded posts from ignored users
2019-07-27 14:00:34 +01:00
David Taylor
c4ff66e1a5
DEV: Correct merge conflicts for 9cfe3f99
2019-07-24 13:31:16 +01:00
David Taylor
9cfe3f9948
SECURITY: Add confirmation screen when connecting associated accounts
2019-07-24 13:29:59 +01:00
Gerhard Schlager
90a1aa5536
SECURITY: Validate backup chunk identifier
2019-07-22 08:44:38 +02:00
Guo Xiang Tan
477bacb3ae
SECURITY: XSS when displaying watched words in admin panel.
...
The XSS here is only possible if CSP is disabled. Low impact since CSP
is enabled by default in SiteSettings.
2019-07-15 10:58:52 +08:00
Robin Ward
fe8bd92f71
SECURITY: SQL injection with default categories
...
This is a low severity security fix because it requires a logged in
admin user to update a site setting via the API directly to an invalid
value.
The fix adds validation for the affected site settings, as well as a
secondary fix to prevent injection in the event of bad data somehow
already exists.
2019-07-11 13:53:12 -04:00
Robin Ward
d1c12539dd
SECURITY: XSS with title selector on preferences page
...
Note this is very low severity as the group needs to be created with a
default title that contains HTML, and group creation is restricted to
staff members right now.
2019-07-09 17:35:26 -04:00
Robin Ward
4fd470e63d
SECURITY: Strip HTML from invite emails
...
We also strip new lines from the emails because it ruins the markdown
formatting which expects a one line message.
2019-07-05 14:58:46 -04:00
Jeff Wong
a7a7afdb27
FIX: iterate when clearing watched words cache
2019-07-04 08:59:01 -07:00
romanrizzi
2a7d270fd6
Revert "FIX: remove misplaced save button"
...
This reverts commit f1381a274b
.
2019-07-03 10:58:33 -03:00
romanrizzi
f1381a274b
FIX: remove misplaced save button
2019-07-03 10:47:54 -03:00
romanrizzi
34d548dbd3
FIX: Remove misplaced outlet
2019-07-03 10:47:43 -03:00
Arpit Jalan
867eebb55e
FIX: creating new badge is failing on empty SQL query ( #7837 )
2019-07-02 15:17:32 +05:30
Gerhard Schlager
b549cab2ad
FIX: Don't send notification email when user isn't allowed to see topic
2019-07-02 09:05:36 +10:00
Gerhard Schlager
5b91182985
DEV: Respond with error 400 to uploads requested via XHR
...
follow-up to 13f38055
2019-06-27 11:30:05 +02:00
Sam Saffron
467e03a2ec
DEV: lint file
...
We no longer need that isAppleDevice require
2019-06-27 11:29:51 +02:00
Joffrey JAFFEUX
a91881280d
FIX: closes search-menu on escape ( #7804 )
2019-06-27 09:34:34 +02:00
Joffrey JAFFEUX
690fb5c4fb
FIX: prevents failure when TL was mutated on internal object ( #7808 )
2019-06-27 09:34:31 +02:00
Gerhard Schlager
9c8aa0a906
SECURITY: XSS in routes
...
Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com>
Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 16:45:33 +02:00
Penar Musaraj
8b963bce37
FIX: Do not refresh all settings on save for all settings, limit to only a few
...
- Followup to 0e303c7f5d
- Automatically reloads site settings after saving only for the logo, logo_small and large_icon settings.
2019-06-25 11:49:09 -04:00
Penar Musaraj
e1822034dc
FIX: use correct name for selectable_avatars_enabled site setting
2019-06-25 11:48:56 -04:00
Maja Komel
faf059e018
FIX: remove temporary hack for fixed iOS bug ( #7773 )
...
A bug where input focus is displaced on modals was fixed in iOS 11.3 update. This hack was causing problems on topic page since hiding main-outlet results in lost read position after opening and closing a modal.
2019-06-25 11:48:42 -04:00
Joffrey JAFFEUX
f2d5cde24c
FIX: category-chooser search should be scoped to category ( #7794 )
2019-06-24 11:31:41 +02:00
Neil Lalonde
04be572a92
Merge diffs from master
2019-06-17 20:07:19 -04:00
Neil Lalonde
a4308fdd43
Merge master
2019-06-17 20:04:04 -04:00
Jeff Wong
893b50031d
replace subfolder on cdn url conversion between general cdn and s3 ( #7764 )
...
When both a cdn URL and an s3 cdn URL defined, subfolder paths were leaking
through to the s3 cdn URL. If we are replacing the cdn url with the s3_cdn url,
we also need to make sure that the subpath is removed as well, as it appears in
the original cdn url.
The test should give a fairly good gist of the situations - in subfolder
situations where s3_cdn and a cdn is defined:
`asset_path` returns the asset with a subfolder, in the form `{cdn_url}/{subfolder}/{asset_path}`
Currently this is being replaced to `{s3_cdn_url}/{subfolder}/{asset_path}`
I am proposing we change this to: `{s3_cdn_url}/{asset_path}` as it seems like
for s3_cdn urls we should not be carrying around app subfolder pathing anywhere
we are looking up s3 paths.
2019-06-17 11:51:17 -07:00
David Taylor
40cbcc7720
SECURITY: Add confirmation screen when logging in via email link
2019-06-17 18:20:48 +01:00
David Taylor
e6e47f2fb2
SECURITY: Add confirmation screen when logging in via user-api OTP
2019-06-17 16:18:44 +01:00
David Taylor
52387be4a4
SECURITY: Add confirmation screen when logging in via email link
2019-06-17 16:18:37 +01:00
David Taylor
5f6f707080
Revert "Merge pull request from GHSA-hv9p-jfm4-gpr9"
...
This reverts commit b8340c6c8e
.
2019-06-17 16:17:10 +01:00
David Taylor
b8340c6c8e
Merge pull request from GHSA-hv9p-jfm4-gpr9
...
* SECURITY: Add confirmation screen when logging in via email link
* SECURITY: Add confirmation screen when logging in via user-api OTP
* FIX: Correct translation key in session controller specs
* FIX: Use .email-login class for page
2019-06-17 15:59:41 +01:00
Arpit Jalan
863d8014d0
FIX: respond with 400 error on invalid redirect param
2019-06-17 16:44:30 +05:30
Arpit Jalan
102be5a9e3
DEV: optimize fix for sub-categories not getting pre-filled.
2019-06-17 13:28:08 +05:30
tshenry
c909033f2b
Add plugin outlets to login/create-account modals ( #7770 )
2019-06-17 16:22:00 +10:00
Sam Saffron
704c579550
FIX: do not allow unbound membership lookups
...
Previously we would allow looking up membership limits in an unbound way
via the API, this introduces an upper limit of 1000 per page.
2019-06-17 15:32:06 +10:00
Sam Saffron
fe4f0a4369
FIX: staged users should not be included in TL groups
...
staged users should not be included in any automatic groups cause for all
purposes they do not exist.
2019-06-17 15:10:47 +10:00
Arpit Jalan
48b9e0d749
FIX: sub-categories was not getting selected for pre-filled topics
2019-06-15 13:46:15 +05:30
Kris
9cb656250d
FIX: Allow tall tables to scroll vertically on iOS
2019-06-14 14:26:59 -04:00
Guo Xiang Tan
77c06384c0
Fix the build.
2019-06-14 13:56:35 +08:00
Guo Xiang Tan
5d16d10a9e
DEV: Fix edge case for InlineUploads
.
2019-06-14 13:48:03 +08:00
Guo Xiang Tan
befb074c98
DEV: InlineUploads
should process CDN upload URLs as well.
2019-06-14 13:14:37 +08:00
Guo Xiang Tan
41abebcbce
DEV: Support both http
and https
for InlineUploads
.
2019-06-14 12:48:31 +08:00
Guo Xiang Tan
c9db897777
FIX: Remove onebox src from Jobs::PullHotlinkedImages
.
...
The test that was added is incorrect because the post was not cooked.
2019-06-14 09:21:25 +08:00
Sam Saffron
457be89445
DEV: only skip migration if a non seeded upload exists
...
Followup to 667b9801
2019-06-14 09:52:02 +10:00
Sam Saffron
667b98017a
FIX: do not attempt to migrate pre-existing uploads
...
This makes this job re-runnable just in case cause it will skip creation
of new uploads if an upload already exists
2019-06-14 09:39:22 +10:00