Tim Düsterhus [Tue, 12 Oct 2021 13:47:56 +0000 (15:47 +0200)]
Deprecate ILoggingAwareException
The `finalizeLog()` method was initially added to support
com.woltlab.wcf.elasticSearch, as it logged the full - possibly huge -
Elasticsearch response, allowing it to log the response into a separate log
file.
This came with severe usability issues, as this log file is not readily
available from the ACP.
The Elasticsearch package was completely cleaned up, relying on the regular
Guzzle exceptions, and errors during JSON decoding no longer include the full
JSON.
Letting the Exception know that they've been logged is a layering violation
that will not play along nicely with #4342. The current method signature also
is pretty much limited to logging into files only.
Deprecate the interface, now that the only known user is gone.
Tim Düsterhus [Tue, 12 Oct 2021 08:48:15 +0000 (10:48 +0200)]
Fix typo in reCAPTCHA API URL
Introduced in #4293.
Tim Düsterhus [Fri, 8 Oct 2021 14:59:19 +0000 (16:59 +0200)]
Remove trailing whitespace and unused imports
Tim Düsterhus [Fri, 8 Oct 2021 14:45:42 +0000 (16:45 +0200)]
Handle all types of exception when validating database access during import
see #4281
see WoltLab/com.woltlab.wcf.exporter#55
Tim Düsterhus [Fri, 8 Oct 2021 09:10:47 +0000 (11:10 +0200)]
Merge pull request #4546 from WoltLab/sfs-lastseen-index
Add INDEX on wcf1_blacklist_entry.lastSeen
Tim Düsterhus [Fri, 8 Oct 2021 09:10:36 +0000 (11:10 +0200)]
Merge pull request #4545 from WoltLab/url-legacy-mode
Remove the `url_legacy_mode` option
Tim Düsterhus [Fri, 8 Oct 2021 08:40:29 +0000 (10:40 +0200)]
Update composer dependencies
Tim Düsterhus [Fri, 8 Oct 2021 08:28:16 +0000 (10:28 +0200)]
Add INDEX on wcf1_blacklist_entry.lastSeen
Resolves #4210
Tim Düsterhus [Fri, 8 Oct 2021 08:24:55 +0000 (10:24 +0200)]
Fix typo in filename of update script
Tim Düsterhus [Fri, 8 Oct 2021 08:10:23 +0000 (10:10 +0200)]
Remove the `url_legacy_mode` option
Resolves #4544
Marcel Werk [Thu, 7 Oct 2021 09:45:46 +0000 (11:45 +0200)]
Added CSS to highlight unread content in sidebar
Tim Düsterhus [Thu, 7 Oct 2021 08:52:53 +0000 (10:52 +0200)]
Update composer dependencies
Joshua Rüsweg [Wed, 6 Oct 2021 10:12:25 +0000 (12:12 +0200)]
Merge pull request #4541 from WoltLab/5.5-notification-confirm-link
Replace empty redirect responses in notifications with link to notifi…
joshuaruesweg [Wed, 6 Oct 2021 09:57:36 +0000 (11:57 +0200)]
Replace empty redirect responses in notifications with link to notification list
The notification link can be `null` (e.g. for some moderation notifications). This would trigger an exception further in the code, because the PSR7 redirect response expect a real URL. For this reason, we rewrite `null` with a link to the NotificationListPage.
Tim Düsterhus [Tue, 5 Oct 2021 09:49:56 +0000 (11:49 +0200)]
Update for PHP CS Fixer 3.2.1
Tim Düsterhus [Tue, 5 Oct 2021 07:27:07 +0000 (09:27 +0200)]
Merge branch '5.4'
Tim Düsterhus [Tue, 5 Oct 2021 07:00:18 +0000 (09:00 +0200)]
Merge pull request #4539 from WoltLab/php-ddl-reject-duplicate-index-column
Reject indices with duplicate columns in DatabaseTableChangeProcessor
Tim Düsterhus [Mon, 4 Oct 2021 14:32:53 +0000 (16:32 +0200)]
Merge pull request #4540 from WoltLab/5.4-image-proxy-exception
Correctly wrap \RuntimeException from body reading in \DomainExceptio…
joshuaruesweg [Mon, 4 Oct 2021 14:28:44 +0000 (16:28 +0200)]
Correctly wrap \RuntimeException from body reading in \DomainException in ImageProxyAction
Tim Düsterhus [Mon, 4 Oct 2021 14:04:11 +0000 (16:04 +0200)]
Reject indices with duplicate columns in DatabaseTableChangeProcessor
Resolves #4536
Joshua Rüsweg [Mon, 4 Oct 2021 13:31:19 +0000 (15:31 +0200)]
Merge pull request #4538 from WoltLab/5.4-disable-unfurling-in-signatures
Disable unfurled urls in signatures
joshuaruesweg [Mon, 4 Oct 2021 12:53:14 +0000 (14:53 +0200)]
Disable unfurled urls in signatures
Tim Düsterhus [Fri, 1 Oct 2021 10:19:57 +0000 (12:19 +0200)]
Merge branch '5.4'
Tim Düsterhus [Thu, 30 Sep 2021 13:33:44 +0000 (15:33 +0200)]
Merge pull request #4535 from WoltLab/import-current-path
Reject `fileSystemPath`s matching an active app during import
Tim Düsterhus [Thu, 30 Sep 2021 11:46:48 +0000 (13:46 +0200)]
Reject `fileSystemPath`s matching an active app during import
Resolves #4517
Tim Düsterhus [Wed, 29 Sep 2021 13:38:50 +0000 (15:38 +0200)]
Fix check whether a non-owned FOREIGN KEY is being dropped in DatabaseTableChangeProcessor
The reproducer and fix is effectively identical to the one in
167291206e57ffb9bc043308682061e5e499ff45.
Package A: Installs FOREIGN KEY (someOtherUserID) REFERENCES wcf1_user (userID)
Package B: Installs FOREIGN KEY (userID) REFERENCES wcf1_user (userID)
Package B: Drops FOREIGN KEY (userID) REFERENCES wcf1_user (userID)
It was erroneously detected that Package B would drop the foreign key owned by
Package A, but possibly only after the foreign key has already been (correctly)
dropped. This delay in check is caused by the `continue 2;` skipping any other
foreign keys after matching up one foreign key.
The actual dropping logic was already correct, just the safety check was
incorrect.
see #4434
joshuaruesweg [Wed, 29 Sep 2021 13:08:14 +0000 (15:08 +0200)]
Deprecate `$_REQUEST['styleID']`
The implementation of the styleID request parameter is very messy, allows for XSRF attacks due to missing validation, might collide with controllers using styleID parameters for their own purpose and can easily be replaced by a plugin if necessary (e.g. for demo setups).
Joshua Rüsweg [Wed, 29 Sep 2021 13:00:47 +0000 (15:00 +0200)]
Merge pull request #4529 from WoltLab/5.5-save-style-id
Prevent saving `styleID` in sessions for user
joshuaruesweg [Wed, 29 Sep 2021 12:09:00 +0000 (14:09 +0200)]
Prevent saving `styleID` in sessions for user
Alexander Ebert [Wed, 29 Sep 2021 12:06:46 +0000 (14:06 +0200)]
Force blur the editor after replying with a message
See https://community.woltlab.com/thread/292195-probleme-mit-opera-mobile-unter-android/
Alexander Ebert [Wed, 29 Sep 2021 12:06:09 +0000 (14:06 +0200)]
Force blur the editor after replying with a message
See https://community.woltlab.com/thread/292195-probleme-mit-opera-mobile-unter-android/
Tim Düsterhus [Wed, 29 Sep 2021 08:56:16 +0000 (10:56 +0200)]
Merge branch '5.4'
Joshua Rüsweg [Wed, 29 Sep 2021 08:46:35 +0000 (10:46 +0200)]
Merge pull request #4532 from WoltLab/unfurl-body-read-failure
Correctly wrap \RuntimeException from body reading in DownloadFailed in UnfurlResponse
Marcel Werk [Tue, 28 Sep 2021 16:11:41 +0000 (18:11 +0200)]
Merge branch 'master' of https://github.com/WoltLab/WCF
Marcel Werk [Tue, 28 Sep 2021 16:11:39 +0000 (18:11 +0200)]
Removed obsolete language variable
Tim Düsterhus [Tue, 28 Sep 2021 15:10:05 +0000 (17:10 +0200)]
Correctly wrap \RuntimeException from body reading in DownloadFailed in UnfurlResponse
Tim Düsterhus [Tue, 28 Sep 2021 14:01:33 +0000 (16:01 +0200)]
Merge branch '5.4'
Tim Düsterhus [Tue, 28 Sep 2021 14:01:19 +0000 (16:01 +0200)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Tue, 28 Sep 2021 13:58:46 +0000 (15:58 +0200)]
Merge pull request #4531 from WoltLab/http-request-timeout
Configure emergency timeout in HTTPRequest
Tim Düsterhus [Tue, 28 Sep 2021 13:21:44 +0000 (15:21 +0200)]
Merge branch '5.4'
Tim Düsterhus [Tue, 28 Sep 2021 13:21:30 +0000 (15:21 +0200)]
Merge remote-tracking branch 'origin/5.4' into 5.4
Tim Düsterhus [Tue, 28 Sep 2021 13:20:56 +0000 (15:20 +0200)]
Merge branch '5.4'
Tim Düsterhus [Tue, 28 Sep 2021 13:18:52 +0000 (15:18 +0200)]
Add explicit check whether the port is numeric in Redis wrapper
This improves error messages.
Tim Düsterhus [Tue, 28 Sep 2021 13:17:30 +0000 (15:17 +0200)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Tue, 28 Sep 2021 13:13:42 +0000 (15:13 +0200)]
Cast the Redis port to int
The `Redis::connect()` method expects the `$port` parameter to be an integer.
PHP will automatically cast numeric strings to an integer, but error out with
an TypeError if the string is not a well-formed number. This TypeError will not
be caught in an `catch(\Exception $e)` block, because TypeError does not
inherit Exception.
Perform an explicit cast to ensure the fallback to DiskCacheSource works.
Tim Düsterhus [Tue, 28 Sep 2021 12:31:33 +0000 (14:31 +0200)]
Configure emergency timeout in HTTPRequest
The connect and read timeouts might not reliably trigger in all cases.
Configure a large overall timeout to ensure PHP workers will terminate
eventually.
see
2dbd5654cb9faff45bb51df9a2f3834bd320cc00
Alexander Ebert [Mon, 27 Sep 2021 15:00:48 +0000 (17:00 +0200)]
Incorrect detection of HTML tags
The previous regex was incorrect and caused false-positive matches. One such case was a `<td>The …</td>` which translated into `###td ###The …`, causing it to be recognized as a `<th>`.
The new regex is much more restrictive by requiring at least one whitespace after the tag name if there is additional content.
Marcel Werk [Mon, 27 Sep 2021 13:37:38 +0000 (15:37 +0200)]
Merge pull request #4518 from WoltLab/notifications-for-subscribers-of-parent-objects
Notifications for subscribers of parent objects
Tim Düsterhus [Mon, 27 Sep 2021 13:11:01 +0000 (15:11 +0200)]
Update fileDelete.xml
This adds files where git detected a rename and thus did not report a deletion.
joshuaruesweg [Mon, 27 Sep 2021 11:57:04 +0000 (13:57 +0200)]
Merge branch '5.4'
joshuaruesweg [Mon, 27 Sep 2021 11:16:31 +0000 (13:16 +0200)]
Fix removing reactions on guests content
Since MySQL 8 the deletion of reactions on contents created by guests might fail. The ReactionHandler tries to update the likesReceived column for a non-existent user, sending the empty string as the userID. Recent versions of MySQL 8 error out with MySQL error 1292. The following MySQL bug appears to be related:
https://bugs.mysql.com/bug.php?id=101806
Tim Düsterhus [Mon, 27 Sep 2021 10:34:48 +0000 (12:34 +0200)]
Merge remote-tracking branch 'origin/master'
Tim Düsterhus [Mon, 27 Sep 2021 10:34:34 +0000 (12:34 +0200)]
Merge branch '5.4'
Tim Düsterhus [Mon, 27 Sep 2021 09:52:06 +0000 (11:52 +0200)]
Merge pull request #4528 from WoltLab/json-error-max-length
Truncate the maximum length of the input JSON in error message when failing to decode
Tim Düsterhus [Mon, 27 Sep 2021 09:44:24 +0000 (11:44 +0200)]
Truncate the maximum length of the input JSON in error message when failing to decode
Stop this from bloating the error log in case of huge responses.
Tim Düsterhus [Mon, 27 Sep 2021 09:19:46 +0000 (11:19 +0200)]
Merge pull request #4527 from WoltLab/search-index-manager-create-return
Remove return value for AbstractSearchIndexManager::createSearchIndex()
Tim Düsterhus [Mon, 27 Sep 2021 08:45:30 +0000 (10:45 +0200)]
Remove return value for AbstractSearchIndexManager::createSearchIndex()
Returning this boolean value does not appear to be useful at all, as there is
no reason why the state after this method finishes should be that the INDEX
does not actually exist (except in case of an Exception). Whether or not it
previously existed is irrelevant.
In fact this method is `protected` and the return value is not used at all,
thus it is safe to remove this requirement.
Tim Düsterhus [Mon, 27 Sep 2021 08:42:26 +0000 (10:42 +0200)]
Merge pull request #4514 from WoltLab/recommend-x64
Recommend 64-bit PHP during WCFSetup
Tim Düsterhus [Mon, 27 Sep 2021 08:32:14 +0000 (10:32 +0200)]
Merge pull request #4526 from WoltLab/session-cookie-lifetime
Decrease the session cookie lifetime leeway to 1 week
Tim Düsterhus [Mon, 27 Sep 2021 08:30:13 +0000 (10:30 +0200)]
Simplify the 64-bit check in WCFSetup
Tim Düsterhus [Mon, 27 Sep 2021 08:03:13 +0000 (10:03 +0200)]
Decrease the session cookie lifetime leeway to 1 week
With the increase of the user session lifetime to 2 months, simply multiplying
by two results in an excessive cookie lifetime.
Decrease this to a constant leeway of 1 week. If the cookie in the browser
expires, the session on the server should be long gone, even for wildly
incorrect local clocks.
Joshua Rüsweg [Mon, 27 Sep 2021 07:50:54 +0000 (09:50 +0200)]
Merge pull request #4525 from WoltLab/session-device-icon
Move Session::getDeviceIcon() into UserAgent::getDeviceIcon()
Tim Düsterhus [Fri, 24 Sep 2021 14:29:03 +0000 (16:29 +0200)]
Move Session::getDeviceIcon() into UserAgent::getDeviceIcon()
This method does not really belong into the Session class.
Tim Düsterhus [Fri, 24 Sep 2021 14:03:12 +0000 (16:03 +0200)]
Transmit XSRF-Token in body in User/Session/Delete.ts
Sensitive information should not be transmitted within the URI.
Tim Düsterhus [Fri, 24 Sep 2021 13:59:51 +0000 (15:59 +0200)]
Merge pull request #4523 from WoltLab/xsrf-token-javascript
Add TypeScript function to retrieve the XSRF-TOKEN
Tim Düsterhus [Fri, 24 Sep 2021 13:30:02 +0000 (15:30 +0200)]
Merge branch '5.4'
Tim Düsterhus [Fri, 24 Sep 2021 13:27:48 +0000 (15:27 +0200)]
Validate the XSRF-Token in DeleteSessionAction
This is not necessarily required, because the `sessionID` already contains high
entropy. However the JavaScript code already provides the XSRF-Token, so let's
validate it for completeness.
Tim Düsterhus [Fri, 24 Sep 2021 13:07:15 +0000 (15:07 +0200)]
Do not import getXsrfToken() as a standalone function
Tim Düsterhus [Fri, 24 Sep 2021 12:57:55 +0000 (14:57 +0200)]
Remove use of SID_ARG_2ND constant in acpSessionLog
This was effectively dead code, because `->hasProtectedURI()` always returns
`false` since ages, as the `?page=` and `?form=` parameters are gone.
Tim Düsterhus [Fri, 24 Sep 2021 12:51:45 +0000 (14:51 +0200)]
Add TypeScript function to retrieve the XSRF-TOKEN
This is intended to ease future changes, e.g. by allowing the code to always
retrieve the latest token from the cookie, instead of relying on the
effectively immutable value set at page load. In the long run this will also
allow to reduce the number of globals on the `window` object.
On the PHP side the use of the `SECURITY_TOKEN` constants have already been
deprecated in 5.4.
see #3609
see
3f6a261b1e6a3804370eb1e2a046ea6c666dbedd
Tim Düsterhus [Fri, 24 Sep 2021 12:46:22 +0000 (14:46 +0200)]
Merge branch '5.4'
Tim Düsterhus [Fri, 24 Sep 2021 12:34:39 +0000 (14:34 +0200)]
Remove SECURITY_TOKEN* constants from constants.php
These were effectively deprecated in
3f6a261b1e6a3804370eb1e2a046ea6c666dbedd.
Tim Düsterhus [Fri, 24 Sep 2021 12:33:48 +0000 (14:33 +0200)]
Remove SID* constants from constants.php
These were removed in
8a35fd6de81f1138456fb777eb57d4b3907c0c66.
Tim Düsterhus [Fri, 24 Sep 2021 10:33:51 +0000 (12:33 +0200)]
Remove INullableFormField from SourceCodeFormField
This field is not actually nullable (it does not handle `isNullable()`), I
assume this to be a copy and paste error.
Alexander Ebert [Fri, 24 Sep 2021 09:13:32 +0000 (11:13 +0200)]
Release 5.4.8
Tim Düsterhus [Fri, 24 Sep 2021 08:14:53 +0000 (10:14 +0200)]
Merge branch '5.4'
Alexander Ebert [Fri, 24 Sep 2021 07:37:56 +0000 (09:37 +0200)]
Release 5.4.8 dev 2
Marcel Werk [Thu, 23 Sep 2021 13:55:18 +0000 (15:55 +0200)]
Removed duplicated condition
Marcel Werk [Thu, 23 Sep 2021 13:35:35 +0000 (15:35 +0200)]
Notifications for subscribers of parent objects
Tim Düsterhus [Thu, 23 Sep 2021 13:09:05 +0000 (15:09 +0200)]
Remove duplication of AJAX test in WCFACP::initAuth()
Tim Düsterhus [Thu, 23 Sep 2021 12:36:00 +0000 (14:36 +0200)]
Merge identical catch blocks in ImageProxyAction
Marcel Werk [Thu, 23 Sep 2021 12:21:29 +0000 (14:21 +0200)]
Removed obsolete code
Tim Düsterhus [Thu, 23 Sep 2021 12:05:22 +0000 (14:05 +0200)]
Merge remote-tracking branch 'origin/master'
Tim Düsterhus [Thu, 23 Sep 2021 12:05:02 +0000 (14:05 +0200)]
Merge branch '5.4'
Tim Düsterhus [Thu, 23 Sep 2021 11:33:54 +0000 (13:33 +0200)]
Merge pull request #4516 from WoltLab/xsrf-token-error
Improve phrasing for XSRF token error messages
Tim Düsterhus [Thu, 23 Sep 2021 11:33:48 +0000 (13:33 +0200)]
Merge pull request #4515 from WoltLab/deprecate-abstract-secure-page
Deprecate AbstractSecurePage
Tim Düsterhus [Thu, 23 Sep 2021 10:47:15 +0000 (12:47 +0200)]
Improve phrasing in wcf.ajax.error.sessionExpired
see #4501
Tim Düsterhus [Thu, 23 Sep 2021 10:44:32 +0000 (12:44 +0200)]
Improve phrasing in wcf.global.form.error.securityToken
see #4501
Tim Düsterhus [Thu, 23 Sep 2021 10:38:05 +0000 (12:38 +0200)]
Deprecate AbstractSecurePage
Tim Düsterhus [Thu, 23 Sep 2021 08:33:23 +0000 (10:33 +0200)]
Recommend 64-bit PHP during WCFSetup
Resolves #4512
Tim Düsterhus [Thu, 23 Sep 2021 07:24:18 +0000 (09:24 +0200)]
Replace use of `StringUtil::split()` by `\mb_str_split()`
Tim Düsterhus [Thu, 23 Sep 2021 07:23:48 +0000 (09:23 +0200)]
Deprecated `StringUtil::split()`
Resolves #4513
Alexander Ebert [Wed, 22 Sep 2021 16:35:39 +0000 (18:35 +0200)]
Release 5.4.8 dev 1
WoltLab [Wed, 22 Sep 2021 16:11:07 +0000 (16:11 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Wed, 22 Sep 2021 14:08:49 +0000 (16:08 +0200)]
Update pelago/emogrifier to 6.0
Tim Düsterhus [Wed, 22 Sep 2021 13:45:17 +0000 (15:45 +0200)]
Merge branch '5.4'
Tim Düsterhus [Wed, 22 Sep 2021 13:20:59 +0000 (15:20 +0200)]
Merge pull request #4510 from WoltLab/wcfsetup-https
Check whether WCFSetup is accessed using HTTPS
Tim Düsterhus [Wed, 22 Sep 2021 13:18:12 +0000 (15:18 +0200)]
Merge pull request #4509 from WoltLab/str-x-with
Deprecate StringUtil::(starts|ends)With()
Tim Düsterhus [Wed, 22 Sep 2021 13:08:47 +0000 (15:08 +0200)]
Check whether WCFSetup is accessed using HTTPS
Resolves #4502
Tim Düsterhus [Wed, 22 Sep 2021 12:55:44 +0000 (14:55 +0200)]
Fix typo in setup_en.xml