Tim Düsterhus [Thu, 17 Mar 2022 13:21:34 +0000 (14:21 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Thu, 17 Mar 2022 13:20:55 +0000 (14:20 +0100)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Wed, 16 Mar 2022 16:55:20 +0000 (17:55 +0100)]
Escape HTML in the filename of the progress indicator during attachment upload
(cherry picked from commit
81b770284267db5dc8c8df86e303a20c3ccb8dce)
Tim Düsterhus [Thu, 17 Mar 2022 13:12:25 +0000 (14:12 +0100)]
Merge branch 'cronjobLogList-xss' into 3.1
Tim Düsterhus [Thu, 17 Mar 2022 08:10:12 +0000 (09:10 +0100)]
Fix XSS in the cronjob's error message in cronjobLogList
This can happen if untrusted information, such as the HTTP response body for a
failed Guzzle request, is embedded into the error message.
Thanks to @SoftCreatR for responsibly reporting the issue.
WoltLab [Wed, 16 Mar 2022 17:31:50 +0000 (17:31 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Wed, 16 Mar 2022 16:55:20 +0000 (17:55 +0100)]
Escape HTML in the filename of the progress indicator during attachment upload
Marcel Werk [Mon, 14 Mar 2022 09:27:14 +0000 (10:27 +0100)]
Only revert points when revoking a reaction
Tim Düsterhus [Wed, 9 Mar 2022 14:16:41 +0000 (15:16 +0100)]
Upgrade to `actions/checkout@v3`
Tim Düsterhus [Wed, 9 Mar 2022 14:14:53 +0000 (15:14 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Wed, 9 Mar 2022 14:14:35 +0000 (15:14 +0100)]
Upgrade to `actions/checkout@v3`
Tim Düsterhus [Wed, 9 Mar 2022 12:49:18 +0000 (13:49 +0100)]
Validate the `pageNo` in UserTrophyAction::validateGetGroupedUserTrophyList()
Tim Düsterhus [Wed, 9 Mar 2022 12:48:52 +0000 (13:48 +0100)]
Validate that the userID matches a user in UserFollowingAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 12:48:19 +0000 (13:48 +0100)]
Validate the `pageNo` in UserFollowingAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 12:47:42 +0000 (13:47 +0100)]
Validate that the userID matches a user in UserFollowAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 12:47:01 +0000 (13:47 +0100)]
Validate the `pageNo` in UserFollowAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 12:46:29 +0000 (13:46 +0100)]
Validate the `pageNo` in MediaAction::validateGetSearchResultList()
Tim Düsterhus [Wed, 9 Mar 2022 12:45:45 +0000 (13:45 +0100)]
Validate the `pageNo` in LikeAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 12:45:05 +0000 (13:45 +0100)]
Validate the `pageNo` in UserProfileVisitorAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 11:19:20 +0000 (12:19 +0100)]
Validate the limit and offset in Database::handleLimitParameter()
Tim Düsterhus [Wed, 9 Mar 2022 09:40:02 +0000 (10:40 +0100)]
Simplify condition in UserTrophyAction::validateGetGroupedUserTrophyList()
Tim Düsterhus [Wed, 9 Mar 2022 09:39:36 +0000 (10:39 +0100)]
Validate that the userID matches a user in UserTrophyAction::validateGetGroupedUserTrophyList()
Tim Düsterhus [Wed, 9 Mar 2022 09:38:04 +0000 (10:38 +0100)]
Validate that the userID matches a user in UserProfileVisitorAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 09:33:51 +0000 (10:33 +0100)]
Fix typing of RuntimeCache's getObject() method
joshuaruesweg [Thu, 3 Mar 2022 12:56:27 +0000 (13:56 +0100)]
Fix detection of ipv4 adresses for stopforumspam integration
Tim Düsterhus [Mon, 28 Feb 2022 12:10:16 +0000 (13:10 +0100)]
Validate the messageObjectType in MessagePreviewAction::validateGetMessagePreview()
Tim Düsterhus [Mon, 28 Feb 2022 12:02:17 +0000 (13:02 +0100)]
Validate the object type definition in CommentAction::validateObjectType()
Alexander Ebert [Tue, 15 Feb 2022 13:54:23 +0000 (14:54 +0100)]
Release 5.3.20
Tim Düsterhus [Tue, 8 Feb 2022 09:07:00 +0000 (10:07 +0100)]
Ignore `length` when diffing YearDatabaseTableColumn
Similarly to INT columns MySQL 8 ignores the length of YEAR columns:
https://dev.mysql.com/doc/refman/8.0/en/year.html
> As of MySQL 8.0.19, the YEAR(4) data type with an explicit display width is
> deprecated and you should expect support for it to be removed in a future
> version of MySQL. Instead, use YEAR without a display width, which has the
> same meaning.
Alexander Ebert [Mon, 31 Jan 2022 16:30:49 +0000 (17:30 +0100)]
Release 5.3.19
Alexander Ebert [Mon, 31 Jan 2022 16:30:10 +0000 (17:30 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Mon, 31 Jan 2022 16:28:38 +0000 (17:28 +0100)]
Release 5.2.19
Alexander Ebert [Mon, 31 Jan 2022 16:27:54 +0000 (17:27 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Mon, 31 Jan 2022 16:24:44 +0000 (17:24 +0100)]
Release 3.1.27
Tim Düsterhus [Mon, 31 Jan 2022 16:18:38 +0000 (17:18 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Mon, 31 Jan 2022 16:18:14 +0000 (17:18 +0100)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Mon, 31 Jan 2022 16:17:54 +0000 (17:17 +0100)]
Merge branch 'unknown-bbcode-xss' into 3.1
Tim Düsterhus [Mon, 31 Jan 2022 13:18:17 +0000 (14:18 +0100)]
Fix XSS vulnerability in HtmlBBCodeParser::buildBBCodeTag()
Thanks to @methosiea for responsibly reporting this issue.
Resolves #4653
Tim Düsterhus [Thu, 27 Jan 2022 13:01:33 +0000 (14:01 +0100)]
Fix regular expression for the `atext` production in EmailGrammar
Due to the missing escaping of the hyphen with a backslash the allowed
characters were not just:
- The plus sign (`+`, 0x2B),
- the dash (`-`, 0x2D), and
- the slash (`/`, 0x2F).
But all ASCII characters between 0x2B and 0x2F, namely:
- The plus sign (`+`, 0x2B),
- the comma (`,`, 0x2C),
- the dash (`-`, 0x2D),
- the dot (`.`, 0x2E), and
- the slash (`/`, 0x2F).
i.e. the comma and dot in addition to the actually allowed characters.
This error caused an incorrect encoding of headers in `::encodeHeader()`.
Specifically the real name of a mailbox was affected by this issue. As a result
a real name that included a dot, but otherwise matched the `atom` grammar was
improperly encoded, possibly causing email parsing failures for MUAs.
Tim Düsterhus [Fri, 21 Jan 2022 12:53:33 +0000 (13:53 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Fri, 21 Jan 2022 12:50:28 +0000 (13:50 +0100)]
Remove codestyle workflow for non-PSR-12 branches
The recent backport of the `|json` template modifier from 5.5 to 3.1+ in
58bc4b693415079127dd11d8210d2564a443010d fails the code style, because the
branches 5.3 and earlier expect tabs instead of spaces for indentation.
It's not really work fixing the code style for the file, just to revert it once
again when merging upwards.
Remove the check for these older branches. They are only touched for bug fixes
and the style will need to be adapted when merging into 5.4.
Alexander Ebert [Fri, 21 Jan 2022 12:48:46 +0000 (13:48 +0100)]
Release 5.3.18
Alexander Ebert [Fri, 21 Jan 2022 12:47:22 +0000 (13:47 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Fri, 21 Jan 2022 12:30:34 +0000 (13:30 +0100)]
Release 5.2.18
Tim Düsterhus [Thu, 20 Jan 2022 10:50:19 +0000 (11:50 +0100)]
Stop using `|encodeJSON`
(cherry picked from commit
ab1e34de9ca94dc44b20d0b4d58eca2bad80d9d3)
Alexander Ebert [Fri, 21 Jan 2022 12:27:41 +0000 (13:27 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Fri, 21 Jan 2022 12:06:52 +0000 (13:06 +0100)]
Release 3.1.26
Tim Düsterhus [Thu, 20 Jan 2022 10:50:47 +0000 (11:50 +0100)]
Add missing JSON encoding of the PAGE_TITLE in `ampArticle.tpl`
This does not need to be fixed in any current branch, because the broken-ness
of `|encodeJSON` will result in broken metadata one way or another.
(cherry picked from commit
bba7f1706e30761e55954a5a4be569e5bb55a6c4)
Tim Düsterhus [Thu, 20 Jan 2022 10:50:19 +0000 (11:50 +0100)]
Stop using `|encodeJSON`
(cherry picked from commit
ab1e34de9ca94dc44b20d0b4d58eca2bad80d9d3)
Tim Düsterhus [Thu, 20 Jan 2022 10:48:16 +0000 (11:48 +0100)]
Add `|json` template modifier
(cherry picked from commit
e178fa84dc06861c5aba3d14e03161c5396fe9a7)
Alexander Ebert [Wed, 19 Jan 2022 13:10:10 +0000 (14:10 +0100)]
Release 5.3.17
Alexander Ebert [Wed, 19 Jan 2022 13:00:57 +0000 (14:00 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Wed, 19 Jan 2022 12:55:01 +0000 (13:55 +0100)]
Release 5.2.17
Alexander Ebert [Wed, 19 Jan 2022 12:50:25 +0000 (13:50 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Wed, 19 Jan 2022 12:46:00 +0000 (13:46 +0100)]
Release 3.1.25
Tim Düsterhus [Wed, 19 Jan 2022 12:29:21 +0000 (13:29 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Wed, 19 Jan 2022 12:29:10 +0000 (13:29 +0100)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Wed, 19 Jan 2022 12:27:40 +0000 (13:27 +0100)]
Merge branch 'encode-js-quot' into 3.1
Tim Düsterhus [Wed, 19 Jan 2022 08:48:30 +0000 (09:48 +0100)]
Merge pull request #4642 from WoltLab/php-ddl-app-install
Fix the replacing of WCF_N in PHP DDL during app installation
Tim Düsterhus [Tue, 18 Jan 2022 11:36:04 +0000 (12:36 +0100)]
Fix the replacing of WCF_N in PHP DDL during app installation
During app installation the newly installed app might not yet be stored within
the application cache, thus failing to replace the `1` within the table
structure definition.
Fix this by setting the `skipCache` parameter to `true`. This will increase the
number of database queries, because applications will be checked once for each
defined table and for each defined FOREIGN KEY, but I don't see a simple fix
for this issue that avoids this increase in query count. Specifically we cannot
simply reset the application cache after inserting the application into
wcf1_application.
Tim Düsterhus [Tue, 4 Jan 2022 10:50:50 +0000 (11:50 +0100)]
Encode the double quote (`"`) in StringUtil::encodeJS()
`encodeJSON()` is currently broken, because while it HTML-encodes the double
quote, it does not actually add the backslash in front of it. Depending on
whether the HTML entity is interpreted by the browser in that specific location
or not, this either results in an incorrect string (with a literal `"`
instead of `"`) or in a syntax error (because the `"` ends the string
prematurely).
The latter might even allow for the injection of JavaScript, if `encodeJSON` is
used in a `<script>` tag that is not just LD-JSON metadata.
Fix this issue by escaping the double quote in `encodeJS` which is used
internally by `encodeJSON`. This should not cause issues, as an escaped double
quote is valid syntax within a JavaScript string.
Alexander Ebert [Wed, 22 Dec 2021 14:46:57 +0000 (15:46 +0100)]
Release 5.3.16
mutec [Sun, 28 Nov 2021 10:49:39 +0000 (11:49 +0100)]
Cast `$length` to an actual `int` in TLengthDatabaseTableColumn::length()
When the object is being initialized from the existing structure in the
database, the length will be passed as a string and was previously stored as-is
within the object.
This violates the existing PHPDoc type declaration and breaks consumers that
use a strict comparison (`===`) to check the length, notably
`YearDatabaseTableColumn`.
Fix this by casting the passed parameter to an actual `int`. This should be
adjusted to a proper parameter type in a future version.
Resolves #4594
[Tim: Adjusted commit message]
Alexander Ebert [Tue, 30 Nov 2021 14:41:50 +0000 (15:41 +0100)]
Release 5.3.15
WoltLab [Tue, 30 Nov 2021 14:34:02 +0000 (14:34 +0000)]
Updating minified JavaScript files
Alexander Ebert [Tue, 30 Nov 2021 14:31:49 +0000 (15:31 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Tue, 30 Nov 2021 13:33:28 +0000 (14:33 +0100)]
Release 5.2.16
WoltLab [Tue, 30 Nov 2021 13:26:57 +0000 (13:26 +0000)]
Updating minified JavaScript files
Alexander Ebert [Tue, 30 Nov 2021 13:25:15 +0000 (14:25 +0100)]
Merge branch '3.1' into 5.2
WoltLab [Tue, 30 Nov 2021 12:57:10 +0000 (12:57 +0000)]
Updating minified JavaScript files
Sascha Greuel [Tue, 30 Nov 2021 10:23:56 +0000 (11:23 +0100)]
Fixed suffix declaration in XSD
As of now, a suffix is only allowed for option categories, which is wrong,
because a suffix can only be applied to an option itself.
Resolves #4596
Alexander Ebert [Tue, 30 Nov 2021 10:01:51 +0000 (11:01 +0100)]
Release 3.1.24
Alexander Ebert [Wed, 10 Nov 2021 18:22:29 +0000 (19:22 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Wed, 10 Nov 2021 18:22:18 +0000 (19:22 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Wed, 10 Nov 2021 18:21:40 +0000 (19:21 +0100)]
Incorrect reset of the timer to show the loading indicator
The missing reset caused repeated calls to `show()` being effectively ignored, because the check `_timeoutShow === null` would be always true if the callback was cancelled before.
See https://community.woltlab.com/thread/293232-ajaxstatus-wird-nach-einem-fehlerhaften-request-nicht-wieder-angezeigt/
Tim Düsterhus [Thu, 4 Nov 2021 14:35:33 +0000 (15:35 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Thu, 4 Nov 2021 14:34:47 +0000 (15:34 +0100)]
Fix error message for `foreignColumnChange` in PHP DDL API
Tim Düsterhus [Tue, 2 Nov 2021 12:36:47 +0000 (13:36 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Tue, 2 Nov 2021 12:34:12 +0000 (13:34 +0100)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Tue, 2 Nov 2021 12:31:07 +0000 (13:31 +0100)]
Merge pull request #4574 from WoltLab/supportexpiry-31
Notify users of the expiring support
Tim Düsterhus [Tue, 2 Nov 2021 11:11:50 +0000 (12:11 +0100)]
Tim Düsterhus [Tue, 26 Oct 2021 12:56:26 +0000 (14:56 +0200)]
Regenerate composer autoloader
Tim Düsterhus [Thu, 14 Oct 2021 13:14:54 +0000 (15:14 +0200)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Thu, 14 Oct 2021 13:11:44 +0000 (15:11 +0200)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Thu, 14 Oct 2021 13:10:10 +0000 (15:10 +0200)]
Fix EmailNewActivationCodeForm
This got broken, because it inherits from RegisterNewActivationForm and the “is
already enabled” validation was moved into a dedicated method within there. This
is a perfect example of why one should never inherit from controllers …
see
f394421c0cc7e8879007092e40e540b2fd1118c1
Tim Düsterhus [Tue, 28 Sep 2021 13:58:46 +0000 (15:58 +0200)]
Merge pull request #4531 from WoltLab/http-request-timeout
Configure emergency timeout in HTTPRequest
Tim Düsterhus [Tue, 28 Sep 2021 13:13:42 +0000 (15:13 +0200)]
Cast the Redis port to int
The `Redis::connect()` method expects the `$port` parameter to be an integer.
PHP will automatically cast numeric strings to an integer, but error out with
an TypeError if the string is not a well-formed number. This TypeError will not
be caught in an `catch(\Exception $e)` block, because TypeError does not
inherit Exception.
Perform an explicit cast to ensure the fallback to DiskCacheSource works.
Tim Düsterhus [Tue, 28 Sep 2021 12:31:33 +0000 (14:31 +0200)]
Configure emergency timeout in HTTPRequest
The connect and read timeouts might not reliably trigger in all cases.
Configure a large overall timeout to ensure PHP workers will terminate
eventually.
see
2dbd5654cb9faff45bb51df9a2f3834bd320cc00
Marcel Werk [Tue, 21 Sep 2021 14:53:14 +0000 (16:53 +0200)]
Merge pull request #4497 from max-m/patch-categoryMultiSelectOptionType
Make `categoryMultiSelectOptionType.tpl` behave like `categoryOptionList.tpl`
Alexander Ebert [Mon, 20 Sep 2021 15:48:31 +0000 (17:48 +0200)]
Incorrect gradient value in Safari
https://community.woltlab.com/thread/292475-mainmenushowprevious-mainmenushownext-safari-farbunterschied-fehler/
Maximilian Mader [Tue, 14 Sep 2021 16:19:15 +0000 (18:19 +0200)]
Make `categoryMultiSelectOptionType.tpl` behave like `categoryOptionList.tpl`
Currently the `categoryMultiSelectOptionType.tpl` outputs nodes of depth 0 and depth 1,
but article categories for example can be nested deeper than that.
The `categoryOptionList.tpl` as used by the category add forms handles arbitrary nesting levels already,
so I’ve ported the template logic over to the multi select option template.
The maximum nesting depth in the `AbstractCategoryMultiSelectOptionType.class.php` has been changed
to the default value (-1) to allow for infinite nesting depths.
Alexander Ebert [Sat, 11 Sep 2021 15:05:59 +0000 (17:05 +0200)]
Merge pull request #4496 from mutec/tagfieldfdp1
fix id of `CustomFormDataProcessor` in `TagFormField`
mutec [Fri, 10 Sep 2021 14:49:57 +0000 (16:49 +0200)]
fix id of `CustomFormDataProcessor` in `TagFormField`
the id was `acl` which seems to be a copy paste-mistake
Alexander Ebert [Thu, 9 Sep 2021 09:58:00 +0000 (11:58 +0200)]
Merge branch '5.2' into 5.3
Alexander Ebert [Thu, 9 Sep 2021 09:47:02 +0000 (11:47 +0200)]
Merge pull request #4493 from WoltLab/5.3-aclformfieldcleanup
Reset ACL field values within form cleanup
Alexander Ebert [Wed, 8 Sep 2021 12:13:30 +0000 (14:13 +0200)]
Release 5.3.14
Alexander Ebert [Wed, 8 Sep 2021 12:05:13 +0000 (14:05 +0200)]
Incorrect use of spaces for indentation in <5.4
Alexander Ebert [Sun, 8 Aug 2021 09:29:26 +0000 (11:29 +0200)]
Sandbox `foreachVars` in templates
Nesting the same template inside a `foreach` loop that is also accessed inside the nested call will overwrite the values from the outer template due to identical identifiers being used.
The sandbox did not protected `$this->foreachVars` despite being stateful.
See #4431
Fixes #4444
joshuaruesweg [Wed, 8 Sep 2021 11:53:42 +0000 (13:53 +0200)]
Reset ACL field values within form cleanup
joshuaruesweg [Wed, 8 Sep 2021 11:51:29 +0000 (13:51 +0200)]
Remove empty lines