GitHub/WoltLab/WCF.git
3 years agoMove Exceptions to own namespace
joshuaruesweg [Thu, 4 Mar 2021 16:10:39 +0000 (17:10 +0100)]
Move Exceptions to own namespace

3 years agoPropper handle libxml errors
joshuaruesweg [Thu, 4 Mar 2021 16:03:41 +0000 (17:03 +0100)]
Propper handle libxml errors

3 years agoValidate headers before reading url body
joshuaruesweg [Thu, 4 Mar 2021 16:01:44 +0000 (17:01 +0100)]
Validate headers before reading url body

3 years agoAdd method to determine the charset of an url
joshuaruesweg [Thu, 4 Mar 2021 15:49:15 +0000 (16:49 +0100)]
Add method to determine the charset of an url

3 years agoReplace UnfurlUrlUtil with UnfurlResponse
joshuaruesweg [Thu, 4 Mar 2021 13:26:57 +0000 (14:26 +0100)]
Replace UnfurlUrlUtil with UnfurlResponse

3 years agoFix codestyle
joshuaruesweg [Wed, 3 Mar 2021 13:48:40 +0000 (14:48 +0100)]
Fix codestyle

3 years agoAdd unfurl url output classes
joshuaruesweg [Fri, 26 Feb 2021 15:16:03 +0000 (16:16 +0100)]
Add unfurl url output classes

3 years agoAdd background job to unfurl an url
joshuaruesweg [Fri, 26 Feb 2021 15:15:11 +0000 (16:15 +0100)]
Add background job to unfurl an url

3 years agoAdd util to unfurl urls
joshuaruesweg [Fri, 26 Feb 2021 15:11:32 +0000 (16:11 +0100)]
Add util to unfurl urls

3 years agoAdd unfurlUrl template
joshuaruesweg [Tue, 23 Feb 2021 12:17:21 +0000 (13:17 +0100)]
Add unfurlUrl template

3 years agoUnfurl standalone Urls
joshuaruesweg [Tue, 23 Feb 2021 10:56:01 +0000 (11:56 +0100)]
Unfurl standalone Urls

3 years agoAdd Unfurl Url Embedded Object
joshuaruesweg [Tue, 23 Feb 2021 10:54:57 +0000 (11:54 +0100)]
Add Unfurl Url Embedded Object

3 years agoAdd Unfurl Url image dir
joshuaruesweg [Tue, 23 Feb 2021 09:49:30 +0000 (10:49 +0100)]
Add Unfurl Url image dir

3 years agoAdd Unfurl Url Databse structure
joshuaruesweg [Tue, 23 Feb 2021 09:49:01 +0000 (10:49 +0100)]
Add Unfurl Url Databse structure

3 years agoMerge pull request #4086 from WoltLab/deprecated-is-connected-with
Tim Düsterhus [Tue, 16 Mar 2021 12:07:26 +0000 (13:07 +0100)]
Merge pull request #4086 from WoltLab/deprecated-is-connected-with

Deprecate UserProfile::isConnectedWith*()

3 years agoOnly add DOM change listener once in `Ui/Empty`
Matthias Schmidt [Tue, 16 Mar 2021 11:26:06 +0000 (12:26 +0100)]
Only add DOM change listener once in `Ui/Empty`

See #4073

3 years agoFix typo in UserProfile::isConnectedWith*() deprecation
Tim Düsterhus [Tue, 16 Mar 2021 10:46:09 +0000 (11:46 +0100)]
Fix typo in UserProfile::isConnectedWith*() deprecation

Co-authored-by: Matthias Schmidt <gravatronics@live.com>
3 years agoDeprecate UserProfile::isConnectedWith*()
Tim Düsterhus [Tue, 16 Mar 2021 10:26:25 +0000 (11:26 +0100)]
Deprecate UserProfile::isConnectedWith*()

3 years agoMerge pull request #4085 from WoltLab/fast-create
Tim Düsterhus [Mon, 15 Mar 2021 15:41:58 +0000 (16:41 +0100)]
Merge pull request #4085 from WoltLab/fast-create

Add TFastCreate trait

3 years agoAdd TFastCreate trait
Tim Düsterhus [Mon, 15 Mar 2021 15:05:19 +0000 (16:05 +0100)]
Add TFastCreate trait

Co-authored-by: Alexander Ebert <ebert@woltlab.com>
3 years agoMerge pull request #4084 from WoltLab/user-importer-performance
Tim Düsterhus [Mon, 15 Mar 2021 15:36:19 +0000 (16:36 +0100)]
Merge pull request #4084 from WoltLab/user-importer-performance

Improve performance of UserImporter

3 years agoRemove useless check for non-emptiness of $groupIDs
Tim Düsterhus [Mon, 15 Mar 2021 15:31:51 +0000 (16:31 +0100)]
Remove useless check for non-emptiness of $groupIDs

3 years agoImprove performance of UserImporter
Tim Düsterhus [Mon, 15 Mar 2021 14:31:32 +0000 (15:31 +0100)]
Improve performance of UserImporter

3 years agoRe-use the statement in ImportHandler::saveNewID()
Tim Düsterhus [Mon, 15 Mar 2021 14:09:02 +0000 (15:09 +0100)]
Re-use the statement in ImportHandler::saveNewID()

Resolves #4083

3 years agoAdd timestamps to ImportCLICommand
Tim Düsterhus [Mon, 15 Mar 2021 14:05:35 +0000 (15:05 +0100)]
Add timestamps to ImportCLICommand

3 years agoMerge branch '5.3'
Tim Düsterhus [Mon, 15 Mar 2021 11:36:23 +0000 (12:36 +0100)]
Merge branch '5.3'

3 years agoRefuse to proxy non-standard ports in ImageProxy
Tim Düsterhus [Mon, 15 Mar 2021 11:34:08 +0000 (12:34 +0100)]
Refuse to proxy non-standard ports in ImageProxy

3 years agoRefactor query generation in UserSearchForm::search()
Tim Düsterhus [Mon, 15 Mar 2021 11:22:12 +0000 (12:22 +0100)]
Refactor query generation in UserSearchForm::search()

The `$sql` can easily be moved down, as it is only used in a single place. This
allows us to directly embed the condition.

see dec19b25cdf21b81d73c5897cd3c885d5ec62ef4
see #4078

3 years agoMerge branch '5.3'
Tim Düsterhus [Mon, 15 Mar 2021 11:21:06 +0000 (12:21 +0100)]
Merge branch '5.3'

3 years agoAdd whitespace before condition in UserSearchForm
Tim Düsterhus [Mon, 15 Mar 2021 11:16:06 +0000 (12:16 +0100)]
Add whitespace before condition in UserSearchForm

Currently a query like the following is generated:

    SELECT user_table.userID
    FROM wcf1_user user_table
    LEFT JOIN wcf1_user_option_value option_value
    ON (option_value.userID = user_table.userID)WHERE option_value.userOption4 = ?

This works due to the parentheses around the `ON` part of the `JOIN`, but it
certainly is not pretty and it will cause issues if the parentheses are removed
(as it happened for WoltLab Suite 5.4).

Insert a newline between the base query and the condition to fix the issue.

Resolves #4078

Co-Authored-By: mutec <mysterycode@mysterycode.de>
3 years agoMerge pull request #4073 from WoltLab/empty_handler
Matthias Schmidt [Mon, 15 Mar 2021 08:48:49 +0000 (09:48 +0100)]
Merge pull request #4073 from WoltLab/empty_handler

Add module for empty HTML elements as replace for `WCF.Table.EmptyTableHandler`

3 years agoSupport database PIP syncs for non-Core packages
Matthias Schmidt [Mon, 15 Mar 2021 08:46:18 +0000 (09:46 +0100)]
Support database PIP syncs for non-Core packages

3 years agoMerge pull request #4077 from WoltLab/database_pip
Matthias Schmidt [Mon, 15 Mar 2021 08:05:29 +0000 (09:05 +0100)]
Merge pull request #4077 from WoltLab/database_pip

Add DatabasePackageInstallationPlugin

3 years agoFix missing content languages for guests
Marcel Werk [Sun, 14 Mar 2021 17:31:26 +0000 (18:31 +0100)]
Fix missing content languages for guests

3 years agoUse new database PIP for update scripts
Matthias Schmidt [Sun, 14 Mar 2021 08:07:47 +0000 (09:07 +0100)]
Use new database PIP for update scripts

3 years agoSupport database PIP in devtools sync function
Matthias Schmidt [Sun, 14 Mar 2021 08:07:37 +0000 (09:07 +0100)]
Support database PIP in devtools sync function

3 years agoAdd `DatabasePackageInstallationPlugin`
Matthias Schmidt [Sun, 14 Mar 2021 08:07:15 +0000 (09:07 +0100)]
Add `DatabasePackageInstallationPlugin`

3 years agoMake use of `Ui/Empty` in more places in frontend
Matthias Schmidt [Sat, 13 Mar 2021 12:38:54 +0000 (13:38 +0100)]
Make use of `Ui/Empty` in more places in frontend

3 years agoMake use of `Ui/Empty` in more places in ACP
Matthias Schmidt [Sat, 13 Mar 2021 12:35:15 +0000 (13:35 +0100)]
Make use of `Ui/Empty` in more places in ACP

3 years agoReplace use of `WCF.Table.EmptyTableHandler` with `Ui/Empty`
Matthias Schmidt [Fri, 12 Mar 2021 15:54:39 +0000 (16:54 +0100)]
Replace use of `WCF.Table.EmptyTableHandler` with `Ui/Empty`

3 years agoDeprecate `WCF.Table.EmptyTableHandler`
Matthias Schmidt [Fri, 12 Mar 2021 15:54:07 +0000 (16:54 +0100)]
Deprecate `WCF.Table.EmptyTableHandler`

3 years agoSetup `Ui/Empty` on every request globally
Matthias Schmidt [Fri, 12 Mar 2021 15:53:53 +0000 (16:53 +0100)]
Setup `Ui/Empty` on every request globally

3 years agoAdd `Ui/Empty` module
Matthias Schmidt [Fri, 12 Mar 2021 15:53:27 +0000 (16:53 +0100)]
Add `Ui/Empty` module

3 years agoRecompile TypeScript to JavaScript
Matthias Schmidt [Fri, 12 Mar 2021 14:02:09 +0000 (15:02 +0100)]
Recompile TypeScript to JavaScript

3 years agoRemove deprecation of `Environment.touch()`
Matthias Schmidt [Fri, 12 Mar 2021 11:57:40 +0000 (12:57 +0100)]
Remove deprecation of `Environment.touch()`

The function is still actively used and there is no better way of doing it.

See  #3876

3 years agoMerge pull request #4070 from WoltLab/formbuilder-typescript
Tim Düsterhus [Fri, 12 Mar 2021 11:54:33 +0000 (12:54 +0100)]
Merge pull request #4070 from WoltLab/formbuilder-typescript

Improve typing in Form/Builder/Dialog.ts

3 years agoMerge branch '5.3'
Tim Düsterhus [Fri, 12 Mar 2021 10:00:37 +0000 (11:00 +0100)]
Merge branch '5.3'

3 years agoEnsure that the 'wcf' application is untainted
Tim Düsterhus [Fri, 12 Mar 2021 09:58:20 +0000 (10:58 +0100)]
Ensure that the 'wcf' application is untainted

This fixes up commit fc2b721517646af2e4d901d95eeba802c1eb6a7d.

see #4057

3 years agoDo not set a spiderID for legacy sessions of registered users
Tim Düsterhus [Fri, 12 Mar 2021 09:36:06 +0000 (10:36 +0100)]
Do not set a spiderID for legacy sessions of registered users

This is the correct version of 0d262d1080533b952de104f45df7cf5a360d8892 which
was reverted in 7476740c8a03adc20f2d5f0380b47556f61edd8a.

During user change the guest legacy session is destroyed together with the
actual guest session and a new session with a matching legacy session is
created. At no point will a legacy session of a guest magically turn into a
legacy session of a user and thus an `UPDATE` is never required.

see #4067

3 years agoRevert "Clear the spiderID when logging in"
Tim Düsterhus [Fri, 12 Mar 2021 09:06:26 +0000 (10:06 +0100)]
Revert "Clear the spiderID when logging in"

As reported in PR #4071 this commit attempts to update a non-existant column.
The change should have been applied to the legacy session in wcf1_session, not
the actual session in wcf1_user_session.

This reverts commit 0d262d1080533b952de104f45df7cf5a360d8892.

see #4067
Resolves #4071

3 years agoMerge pull request #4059 from WoltLab/media-imageDimensions
Marcel Werk [Thu, 11 Mar 2021 17:01:23 +0000 (18:01 +0100)]
Merge pull request #4059 from WoltLab/media-imageDimensions

Do not expose wcf.media.imageDimensions.value to JavaScript

3 years agoImprove typing in Form/Builder/Dialog.ts
Tim Düsterhus [Thu, 11 Mar 2021 13:38:17 +0000 (14:38 +0100)]
Improve typing in Form/Builder/Dialog.ts

see 155f9dd41571c72b79815783efc0924ff5279ad8

3 years agoFix parameter type of form builder dialogs' `successCallback` (#4069)
Matthias Schmidt [Thu, 11 Mar 2021 12:54:01 +0000 (13:54 +0100)]
Fix parameter type of form builder dialogs' `successCallback` (#4069)

Close #4063

3 years agoMerge pull request #4067 from WoltLab/session-spider-fix
Tim Düsterhus [Thu, 11 Mar 2021 11:47:57 +0000 (12:47 +0100)]
Merge pull request #4067 from WoltLab/session-spider-fix

Fix spider handling in sessions

3 years agoMerge pull request #4068 from WoltLab/fixup-check-draft
Tim Düsterhus [Thu, 11 Mar 2021 11:36:43 +0000 (12:36 +0100)]
Merge pull request #4068 from WoltLab/fixup-check-draft

Do not check for `fixup!` commit in draft PRs

3 years agoDo not check for `fixup!` commit in draft PRs
Tim Düsterhus [Thu, 11 Mar 2021 11:29:56 +0000 (12:29 +0100)]
Do not check for `fixup!` commit in draft PRs

3 years agoMerge branch '5.3'
Tim Düsterhus [Thu, 11 Mar 2021 09:56:56 +0000 (10:56 +0100)]
Merge branch '5.3'

3 years agoFix clear button behavior in Date/Picker.ts
Tim Düsterhus [Thu, 11 Mar 2021 09:53:41 +0000 (10:53 +0100)]
Fix clear button behavior in Date/Picker.ts

Before the rewrite to TypeScript both buttons used the same variable name
(`button`). Apparently during the rewrite they have been mixed up. Use a clear
variable name for each to fix the issue.

see 9a11d3a3b9959aea13a700fa4b32ec35bdc064f0
Fixes #4061

3 years agoDo not use .bind() in Date/Picker.ts
Tim Düsterhus [Thu, 11 Mar 2021 09:51:18 +0000 (10:51 +0100)]
Do not use .bind() in Date/Picker.ts

3 years agoClear the spiderID when logging in
Tim Düsterhus [Thu, 11 Mar 2021 08:45:26 +0000 (09:45 +0100)]
Clear the spiderID when logging in

3 years agoMake SessionHandler::createLegacySession() return the session
Tim Düsterhus [Thu, 11 Mar 2021 08:41:21 +0000 (09:41 +0100)]
Make SessionHandler::createLegacySession() return the session

This does not implicitly modify class properties and thus makes the code
cleaner.

3 years agoCorrectly re-use spider sessions when creating new sessions
Tim Düsterhus [Thu, 11 Mar 2021 08:39:48 +0000 (09:39 +0100)]
Correctly re-use spider sessions when creating new sessions

Fixes #4066

3 years agoExplicitly return `null` on no match in SessionHandler::getSpiderID()
Tim Düsterhus [Thu, 11 Mar 2021 08:30:51 +0000 (09:30 +0100)]
Explicitly return `null` on no match in SessionHandler::getSpiderID()

3 years agoRemove useless condition in SessionHandler::createLegacySession()
Tim Düsterhus [Thu, 11 Mar 2021 08:28:08 +0000 (09:28 +0100)]
Remove useless condition in SessionHandler::createLegacySession()

The default value is `null`, so we can set that explicitly.

3 years agoFix user awaiting approval link
joshuaruesweg [Wed, 10 Mar 2021 21:06:29 +0000 (22:06 +0100)]
Fix user awaiting approval link

3 years agoDeploy the INTERNAL_HOSTNAMES option before deploying files
Tim Düsterhus [Wed, 10 Mar 2021 15:40:39 +0000 (16:40 +0100)]
Deploy the INTERNAL_HOSTNAMES option before deploying files

Resolves #4065

3 years agoMerge pull request #4058 from WoltLab/tainted-app-warning
Tim Düsterhus [Wed, 10 Mar 2021 14:55:11 +0000 (15:55 +0100)]
Merge pull request #4058 from WoltLab/tainted-app-warning

Show error messages if tainted apps are installed

3 years agoUpdating minified JavaScript files
WoltLab [Wed, 10 Mar 2021 14:37:51 +0000 (14:37 +0000)]
Updating minified JavaScript files

3 years agoAdd missing backslashes before function calls
Matthias Schmidt [Wed, 10 Mar 2021 10:42:10 +0000 (11:42 +0100)]
Add missing backslashes before function calls

3 years agoSupport filtering the list of user authentication failures (#4062)
Matthias Schmidt [Wed, 10 Mar 2021 10:41:17 +0000 (11:41 +0100)]
Support filtering the list of user authentication failures (#4062)

Filtering by IP address is not supported due storing IPv4 addresses in IPv6 format but displaying them in as IPv4 so that (partial) IPv4 addresses cannot be (easily) searched for.

See #3395

3 years agoShow error messages if tainted apps are installed
Tim Düsterhus [Tue, 9 Mar 2021 13:23:22 +0000 (14:23 +0100)]
Show error messages if tainted apps are installed

3 years agoRemove useless emptyness checks in index.tpl
Tim Düsterhus [Wed, 10 Mar 2021 08:31:04 +0000 (09:31 +0100)]
Remove useless emptyness checks in index.tpl

3 years agoMerge branch '5.3'
Matthias Schmidt [Tue, 9 Mar 2021 15:33:21 +0000 (16:33 +0100)]
Merge branch '5.3'

3 years agoMerge branch '5.2' into 5.3
Matthias Schmidt [Tue, 9 Mar 2021 15:22:53 +0000 (16:22 +0100)]
Merge branch '5.2' into 5.3

3 years agoFix reading ACL values in non-Ajax form builder forms (#4060)
Matthias Schmidt [Tue, 9 Mar 2021 15:21:04 +0000 (16:21 +0100)]
Fix reading ACL values in non-Ajax form builder forms (#4060)

The wrong data source was used in `AclFormField` (the whole `$_POST` array instead of the dedicated entry) and the data was always stored in `aclValues` instead of a dedicated entry per form field.

3 years agoFix Ajax user form fields with pre-set values
Matthias Schmidt [Tue, 9 Mar 2021 15:15:45 +0000 (16:15 +0100)]
Fix Ajax user form fields with pre-set values

`values[i].objectId` is only set for users added manually via the UI. For pre-existing usernames, only `values[i].value` exists.

3 years agoDo not expose wcf.media.imageDimensions.value to JavaScript
Tim Düsterhus [Tue, 9 Mar 2021 14:23:11 +0000 (15:23 +0100)]
Do not expose wcf.media.imageDimensions.value to JavaScript

This language item uses PHP template syntax and thus is not compatible with JavaScript:

    Parse error on line 1:
    {#$media->width}×{#$media->h
    --------^
    Expecting '}', got 'T_ANY'

I also could not find any JavaScript users (which was expected, given that it
would not work).

3 years agoHandle non-string values in Language.ts without logging debug messages
Tim Düsterhus [Tue, 9 Mar 2021 13:43:52 +0000 (14:43 +0100)]
Handle non-string values in Language.ts without logging debug messages

3 years agoMerge branch '5.3'
Tim Düsterhus [Tue, 9 Mar 2021 13:08:27 +0000 (14:08 +0100)]
Merge branch '5.3'

3 years agoMerge pull request #4057 from WoltLab/app-install-taint
Tim Düsterhus [Tue, 9 Mar 2021 12:47:53 +0000 (13:47 +0100)]
Merge pull request #4057 from WoltLab/app-install-taint

Taint apps until a directory is selected

3 years agoSkip tainted applications during evaluation check on IndexPage
Tim Düsterhus [Tue, 9 Mar 2021 09:50:33 +0000 (10:50 +0100)]
Skip tainted applications during evaluation check on IndexPage

3 years agoTaint installed apps until the directory is selected
Tim Düsterhus [Tue, 9 Mar 2021 09:41:33 +0000 (10:41 +0100)]
Taint installed apps until the directory is selected

The row in wcf1_application is created very early in the installation process,
even before the application directory is selected. This causes it to contain
bogus data. Now when pressing F5 during the folder section for whatever reason
the application technically is installed, but it's not usable due to the
missing XXXCore class. When the cache is being cleared this will brick the
whole community.

Taint apps until a proper application directory is selected. This reduces the
time window for human error, because it's likely that the `file` PIP runs very
soon after.

3 years agoMerge branch 'style-preload'
Tim Düsterhus [Mon, 8 Mar 2021 15:26:43 +0000 (16:26 +0100)]
Merge branch 'style-preload'

3 years agoHandle style-preload.json in Style(Add|Edit)Form and StyleGlobalValuesForm
Tim Düsterhus [Mon, 8 Mar 2021 15:04:40 +0000 (16:04 +0100)]
Handle style-preload.json in Style(Add|Edit)Form and StyleGlobalValuesForm

This file is not yet created when testing the style.

3 years agoDelete preload data when deleting styles
Tim Düsterhus [Mon, 8 Mar 2021 15:15:14 +0000 (16:15 +0100)]
Delete preload data when deleting styles

see d2779a57533b315ce08c3436d9753f16ee1fdbfe

3 years agoShow preload data in CacheListPage
Tim Düsterhus [Mon, 8 Mar 2021 15:11:19 +0000 (16:11 +0100)]
Show preload data in CacheListPage

see d2779a57533b315ce08c3436d9753f16ee1fdbfe

3 years agoDelete preload data in StyleHandler::resetStylesheets()
Tim Düsterhus [Mon, 8 Mar 2021 15:08:39 +0000 (16:08 +0100)]
Delete preload data in StyleHandler::resetStylesheets()

see d2779a57533b315ce08c3436d9753f16ee1fdbfe

3 years agoDelete preload data in StyleHandler::resetStylesheet()
Tim Düsterhus [Mon, 8 Mar 2021 15:18:07 +0000 (16:18 +0100)]
Delete preload data in StyleHandler::resetStylesheet()

see d2779a57533b315ce08c3436d9753f16ee1fdbfe

3 years agoDo not write an empty preload manifest
Tim Düsterhus [Mon, 8 Mar 2021 14:57:08 +0000 (15:57 +0100)]
Do not write an empty preload manifest

see d2779a57533b315ce08c3436d9753f16ee1fdbfe

3 years agoMerge pull request #3988 from WoltLab/devtools-option-name-validator
Tim Düsterhus [Mon, 8 Mar 2021 14:58:27 +0000 (15:58 +0100)]
Merge pull request #3988 from WoltLab/devtools-option-name-validator

Add option name validators to devtools form for the `option` PIP

3 years agoImprove phrasing for optionName pattern error message
Tim Düsterhus [Mon, 8 Mar 2021 14:58:06 +0000 (15:58 +0100)]
Improve phrasing for optionName pattern error message

Co-authored-by: Matthias Schmidt <gravatronics@live.com>
3 years agoMerge pull request #4054 from WoltLab/password-toggle-icon
Marcel Werk [Mon, 8 Mar 2021 14:37:51 +0000 (15:37 +0100)]
Merge pull request #4054 from WoltLab/password-toggle-icon

Swap icons used in password toggle

3 years agoSwap icons used in password toggle
Tim Düsterhus [Mon, 8 Mar 2021 11:54:01 +0000 (12:54 +0100)]
Swap icons used in password toggle

Icons in buttons in WoltLab Suite usually indicate what happens when the button
is clicked and do not represent the current state.

3 years agoAdd special handling for AJAX requests failing reauth in ACP
Tim Düsterhus [Mon, 8 Mar 2021 10:46:56 +0000 (11:46 +0100)]
Add special handling for AJAX requests failing reauth in ACP

Fixes #4053

3 years agoUpdate guzzle to the current guzzle/guzzle master
Tim Düsterhus [Mon, 8 Mar 2021 10:13:38 +0000 (11:13 +0100)]
Update guzzle to the current guzzle/guzzle master

This moves guzzle away from our private fork onto the upstream repository,
albeit not onto a released version, due to the change in
8f09f3cac92beb4ec003c1b29dc37360e29b3b36 not yet being released.

3 years agoMerge pull request #4051 from WoltLab/internal-host
Tim Düsterhus [Mon, 8 Mar 2021 10:08:13 +0000 (11:08 +0100)]
Merge pull request #4051 from WoltLab/internal-host

Add INTERNAL_HOSTNAMES option

3 years agoCheck the XSRF-TOKEN cookie against the active request during 5.4 upgrade
Tim Düsterhus [Mon, 8 Mar 2021 10:02:22 +0000 (11:02 +0100)]
Check the XSRF-TOKEN cookie against the active request during 5.4 upgrade

It should not be possible to hit the issue in the real world, but we better
play safe here.

In my tests I could only reproduce the issue by:

1. Taking a snapshot while logged into the ACP.
2. Starting the upgrade until the new cookies have been set.
3. Aborting the upgrade.
4. Rolling back the snapshot.
5. Trying again.

In this case the XSRF-TOKEN cookie is correctly signed and the session cookie
matches the actual session ID. However the sessionVariables are outdated due to
the rollback. The process will continue with the old SECURITY_TOKEN, failing
after the new files from 5.4 are deployed.

This issue is fixed by also checking the cookie against the current request and
the active session to ensure all the values are correctly in place.

Resolves #4052

3 years agoAdd INTERNAL_HOSTNAMES option
Tim Düsterhus [Fri, 5 Mar 2021 15:48:05 +0000 (16:48 +0100)]
Add INTERNAL_HOSTNAMES option

Resolves #4049

3 years agoMake HtmlOutputNodeImg::getHostMatcher() reusable as Url::getHostnameMatcher()
Tim Düsterhus [Fri, 5 Mar 2021 15:41:01 +0000 (16:41 +0100)]
Make HtmlOutputNodeImg::getHostMatcher() reusable as Url::getHostnameMatcher()

3 years agoCorrectly handle apps without an option directory in `option` dev tools
Tim Düsterhus [Fri, 5 Mar 2021 15:15:01 +0000 (16:15 +0100)]
Correctly handle apps without an option directory in `option` dev tools