Tim Düsterhus [Mon, 16 Jan 2023 13:40:29 +0000 (14:40 +0100)]
Fix XSS vulnerability in registerActivation.tpl
This was introduced in
a477e3522933a7204b02013cd6b6d47d0db1d254 when the
activation logic was refactored to no longer use numeric-only activation codes.
Thanks to Chabik Hatim for responsibly reporting the vulnerability.
Tim Düsterhus [Mon, 16 Jan 2023 13:49:57 +0000 (14:49 +0100)]
Merge pull request #5225 from WoltLab/supportexpiry-53
Notify users of the expiring support (5.3)
Tim Düsterhus [Tue, 2 Nov 2021 11:11:50 +0000 (12:11 +0100)]
Notify users of the expiring support (5.3)
see #4574
Alexander Ebert [Tue, 18 Oct 2022 14:38:23 +0000 (16:38 +0200)]
Release 5.3.25
Tim Düsterhus [Tue, 18 Oct 2022 14:25:39 +0000 (16:25 +0200)]
Merge branch 'js-relocate-xss' into 5.3
Tim Düsterhus [Thu, 13 Oct 2022 15:19:17 +0000 (17:19 +0200)]
Fix XSS vulnerability within the JavaScript relocator
If the relocation placeholder appeared multiple times within the source code,
it would also be replaced multiple times. This might allow an attacker to blow
up the HTML structure by including the placeholder within UGC.
Fix this issue by only ever replacing the last placeholder, which should be the
“real” one from footer.tpl. In the future this should be protected further by
including a random nonce to prevent this attack entirely.
Alexander Ebert [Wed, 6 Jul 2022 10:25:19 +0000 (12:25 +0200)]
Release 5.3.24
Tim Düsterhus [Tue, 5 Jul 2022 11:25:39 +0000 (13:25 +0200)]
Merge pull request #4896 from WoltLab/abstract-category-edit-check-type
Verify that the category's objectType matches the form's objectType in AbstractCategoryEditForm
Tim Düsterhus [Mon, 4 Jul 2022 14:08:34 +0000 (16:08 +0200)]
Verify that the category's objectType matches the form's objectType in AbstractCategoryEditForm
Tim Düsterhus [Tue, 21 Jun 2022 08:52:30 +0000 (10:52 +0200)]
Tim Düsterhus [Tue, 21 Jun 2022 08:44:38 +0000 (10:44 +0200)]
Update guzzlehttp/psr7
This is a dependency for an updated Guzzle.
see guzzle/psr7@
e98e3e6d4f86621a9b75f623996e6bbdeb4b9318
see guzzle/guzzle@
a52f0440530b54fa079ce76e8c5d196a42cad981
Tim Düsterhus [Tue, 21 Jun 2022 08:41:51 +0000 (10:41 +0200)]
Regenerate composer files
Tim Düsterhus [Fri, 10 Jun 2022 07:21:12 +0000 (09:21 +0200)]
Alexander Ebert [Wed, 1 Jun 2022 14:37:56 +0000 (16:37 +0200)]
Release 5.3.23
Alexander Ebert [Wed, 1 Jun 2022 14:37:15 +0000 (16:37 +0200)]
Merge branch '5.2' into 5.3
Alexander Ebert [Wed, 1 Jun 2022 14:34:57 +0000 (16:34 +0200)]
Release 5.2.21
Alexander Ebert [Wed, 1 Jun 2022 14:29:04 +0000 (16:29 +0200)]
Merge branch '3.1' into 5.2
Alexander Ebert [Wed, 1 Jun 2022 14:26:21 +0000 (16:26 +0200)]
Release 3.1.29
Tim Düsterhus [Tue, 31 May 2022 13:36:26 +0000 (15:36 +0200)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Tue, 31 May 2022 13:35:00 +0000 (15:35 +0200)]
Adjust PHP versions in environment check for 5.2
see
598b72301a2cdcd0f3a0c1196f6fc1107e01650e
Tim Düsterhus [Tue, 31 May 2022 13:33:43 +0000 (15:33 +0200)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Tue, 31 May 2022 13:31:44 +0000 (15:31 +0200)]
Merge pull request #4840 from WoltLab/system-environment-check
Add basic check for the runtime environment
Tim Düsterhus [Tue, 31 May 2022 13:11:02 +0000 (15:11 +0200)]
Add basic check for the runtime environment
Running WoltLab Suite in an unsupported environment might work for the
majority of requests, some requests might fail very visibly. But there
also is a third type: A request that *appear* to execute properly, but
that subtly behaves incorrectly, due to a change in PHP's behavior.
The latter type is dangerous, as those requests might introduce errors
into the dataset that are very hard to impossible to correct after the
fact because the necessary information to fix up the data is no longer
available.
Prevent this situation from occuring by performing a basic test of the
runtime environment and halting processing early if this test fails to
ensure that it processed as little as possible.
Tim Düsterhus [Tue, 31 May 2022 12:57:44 +0000 (14:57 +0200)]
Enable HTML escaping of `->errorMessage` in packageUpdateServerList.tpl
This is not exploitable for a full-blown XSS attack, as any HTML tags are
stripped. Nonetheless the `"` character can cause issues, as the value is also
displayed in an HTML attribute and the error message contains uncontrolled
content.
Tim Düsterhus [Wed, 25 May 2022 13:31:40 +0000 (15:31 +0200)]
Tim Düsterhus [Wed, 25 May 2022 13:30:33 +0000 (15:30 +0200)]
Regenerate composer autoloader
Tim Düsterhus [Wed, 11 May 2022 12:56:09 +0000 (14:56 +0200)]
Add the `required` attribute to the recipientID select in contact.tpl
see
a8490749c3ba7014380d55462fc45dd635c1d71c
Tim Düsterhus [Wed, 11 May 2022 12:49:24 +0000 (14:49 +0200)]
Indicate that selecting a recipient is required in contact.tpl
Marcel Werk [Sat, 7 May 2022 15:41:46 +0000 (17:41 +0200)]
Merge branch '5.2' into 5.3
Marcel Werk [Sat, 7 May 2022 15:40:48 +0000 (17:40 +0200)]
Revert "Show always an no selection option in custom select options build with the OptionHandler"
This reverts commit
6fef8b82e15794eee5317e6b15bb0670f137315c.
Alexander Ebert [Thu, 14 Apr 2022 14:45:23 +0000 (16:45 +0200)]
Release 5.3.22
Tim Düsterhus [Mon, 21 Mar 2022 10:03:59 +0000 (11:03 +0100)]
Merge pull request #4706 from WoltLab/guzzle-psr7-backport
Update guzzlehttp/psr7 to a custom fork
Tim Düsterhus [Sun, 20 Mar 2022 14:22:29 +0000 (15:22 +0100)]
Update guzzlehttp/psr7 to a custom fork
see WoltLab/guzzle-psr7@
ff7be9fcf7da87f971990b1a61d8a7f2b5aeac9b
see WoltLab/guzzle-psr7@
986596de01529f6e837a5cadfef9ec714ace7914
Alexander Ebert [Thu, 17 Mar 2022 16:36:32 +0000 (17:36 +0100)]
Release 5.3.21
Alexander Ebert [Thu, 17 Mar 2022 16:34:59 +0000 (17:34 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Thu, 17 Mar 2022 16:33:49 +0000 (17:33 +0100)]
Release 5.2.20
Alexander Ebert [Thu, 17 Mar 2022 16:32:53 +0000 (17:32 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Thu, 17 Mar 2022 16:31:13 +0000 (17:31 +0100)]
Release 3.1.28
Alexander Ebert [Thu, 17 Mar 2022 14:43:27 +0000 (15:43 +0100)]
Release 3.1.28
Tim Düsterhus [Thu, 17 Mar 2022 13:28:38 +0000 (14:28 +0100)]
Merge branch '5.2' into 5.3
WoltLab [Thu, 17 Mar 2022 13:27:24 +0000 (13:27 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Thu, 17 Mar 2022 13:25:53 +0000 (14:25 +0100)]
Merge branch '3.1' into 5.2
WoltLab [Thu, 17 Mar 2022 13:23:56 +0000 (13:23 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Thu, 17 Mar 2022 13:21:34 +0000 (14:21 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Thu, 17 Mar 2022 13:20:55 +0000 (14:20 +0100)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Wed, 16 Mar 2022 16:55:20 +0000 (17:55 +0100)]
Escape HTML in the filename of the progress indicator during attachment upload
(cherry picked from commit
81b770284267db5dc8c8df86e303a20c3ccb8dce)
Tim Düsterhus [Thu, 17 Mar 2022 13:12:25 +0000 (14:12 +0100)]
Merge branch 'cronjobLogList-xss' into 3.1
Tim Düsterhus [Thu, 17 Mar 2022 08:10:12 +0000 (09:10 +0100)]
Fix XSS in the cronjob's error message in cronjobLogList
This can happen if untrusted information, such as the HTTP response body for a
failed Guzzle request, is embedded into the error message.
Thanks to @SoftCreatR for responsibly reporting the issue.
WoltLab [Wed, 16 Mar 2022 17:31:50 +0000 (17:31 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Wed, 16 Mar 2022 16:55:20 +0000 (17:55 +0100)]
Escape HTML in the filename of the progress indicator during attachment upload
Marcel Werk [Mon, 14 Mar 2022 09:27:14 +0000 (10:27 +0100)]
Only revert points when revoking a reaction
Tim Düsterhus [Wed, 9 Mar 2022 14:16:41 +0000 (15:16 +0100)]
Upgrade to `actions/checkout@v3`
Tim Düsterhus [Wed, 9 Mar 2022 14:14:53 +0000 (15:14 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Wed, 9 Mar 2022 14:14:35 +0000 (15:14 +0100)]
Upgrade to `actions/checkout@v3`
Tim Düsterhus [Wed, 9 Mar 2022 12:49:18 +0000 (13:49 +0100)]
Validate the `pageNo` in UserTrophyAction::validateGetGroupedUserTrophyList()
Tim Düsterhus [Wed, 9 Mar 2022 12:48:52 +0000 (13:48 +0100)]
Validate that the userID matches a user in UserFollowingAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 12:48:19 +0000 (13:48 +0100)]
Validate the `pageNo` in UserFollowingAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 12:47:42 +0000 (13:47 +0100)]
Validate that the userID matches a user in UserFollowAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 12:47:01 +0000 (13:47 +0100)]
Validate the `pageNo` in UserFollowAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 12:46:29 +0000 (13:46 +0100)]
Validate the `pageNo` in MediaAction::validateGetSearchResultList()
Tim Düsterhus [Wed, 9 Mar 2022 12:45:45 +0000 (13:45 +0100)]
Validate the `pageNo` in LikeAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 12:45:05 +0000 (13:45 +0100)]
Validate the `pageNo` in UserProfileVisitorAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 11:19:20 +0000 (12:19 +0100)]
Validate the limit and offset in Database::handleLimitParameter()
Tim Düsterhus [Wed, 9 Mar 2022 09:40:02 +0000 (10:40 +0100)]
Simplify condition in UserTrophyAction::validateGetGroupedUserTrophyList()
Tim Düsterhus [Wed, 9 Mar 2022 09:39:36 +0000 (10:39 +0100)]
Validate that the userID matches a user in UserTrophyAction::validateGetGroupedUserTrophyList()
Tim Düsterhus [Wed, 9 Mar 2022 09:38:04 +0000 (10:38 +0100)]
Validate that the userID matches a user in UserProfileVisitorAction::validateGetGroupedUserList()
Tim Düsterhus [Wed, 9 Mar 2022 09:33:51 +0000 (10:33 +0100)]
Fix typing of RuntimeCache's getObject() method
joshuaruesweg [Thu, 3 Mar 2022 12:56:27 +0000 (13:56 +0100)]
Fix detection of ipv4 adresses for stopforumspam integration
Tim Düsterhus [Mon, 28 Feb 2022 12:10:16 +0000 (13:10 +0100)]
Validate the messageObjectType in MessagePreviewAction::validateGetMessagePreview()
Tim Düsterhus [Mon, 28 Feb 2022 12:02:17 +0000 (13:02 +0100)]
Validate the object type definition in CommentAction::validateObjectType()
Alexander Ebert [Tue, 15 Feb 2022 13:54:23 +0000 (14:54 +0100)]
Release 5.3.20
Tim Düsterhus [Tue, 8 Feb 2022 09:07:00 +0000 (10:07 +0100)]
Ignore `length` when diffing YearDatabaseTableColumn
Similarly to INT columns MySQL 8 ignores the length of YEAR columns:
https://dev.mysql.com/doc/refman/8.0/en/year.html
> As of MySQL 8.0.19, the YEAR(4) data type with an explicit display width is
> deprecated and you should expect support for it to be removed in a future
> version of MySQL. Instead, use YEAR without a display width, which has the
> same meaning.
Alexander Ebert [Mon, 31 Jan 2022 16:30:49 +0000 (17:30 +0100)]
Release 5.3.19
Alexander Ebert [Mon, 31 Jan 2022 16:30:10 +0000 (17:30 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Mon, 31 Jan 2022 16:28:38 +0000 (17:28 +0100)]
Release 5.2.19
Alexander Ebert [Mon, 31 Jan 2022 16:27:54 +0000 (17:27 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Mon, 31 Jan 2022 16:24:44 +0000 (17:24 +0100)]
Release 3.1.27
Tim Düsterhus [Mon, 31 Jan 2022 16:18:38 +0000 (17:18 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Mon, 31 Jan 2022 16:18:14 +0000 (17:18 +0100)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Mon, 31 Jan 2022 16:17:54 +0000 (17:17 +0100)]
Merge branch 'unknown-bbcode-xss' into 3.1
Tim Düsterhus [Mon, 31 Jan 2022 13:18:17 +0000 (14:18 +0100)]
Fix XSS vulnerability in HtmlBBCodeParser::buildBBCodeTag()
Thanks to @methosiea for responsibly reporting this issue.
Resolves #4653
Tim Düsterhus [Thu, 27 Jan 2022 13:01:33 +0000 (14:01 +0100)]
Fix regular expression for the `atext` production in EmailGrammar
Due to the missing escaping of the hyphen with a backslash the allowed
characters were not just:
- The plus sign (`+`, 0x2B),
- the dash (`-`, 0x2D), and
- the slash (`/`, 0x2F).
But all ASCII characters between 0x2B and 0x2F, namely:
- The plus sign (`+`, 0x2B),
- the comma (`,`, 0x2C),
- the dash (`-`, 0x2D),
- the dot (`.`, 0x2E), and
- the slash (`/`, 0x2F).
i.e. the comma and dot in addition to the actually allowed characters.
This error caused an incorrect encoding of headers in `::encodeHeader()`.
Specifically the real name of a mailbox was affected by this issue. As a result
a real name that included a dot, but otherwise matched the `atom` grammar was
improperly encoded, possibly causing email parsing failures for MUAs.
Tim Düsterhus [Fri, 21 Jan 2022 12:53:33 +0000 (13:53 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Fri, 21 Jan 2022 12:50:28 +0000 (13:50 +0100)]
Remove codestyle workflow for non-PSR-12 branches
The recent backport of the `|json` template modifier from 5.5 to 3.1+ in
58bc4b693415079127dd11d8210d2564a443010d fails the code style, because the
branches 5.3 and earlier expect tabs instead of spaces for indentation.
It's not really work fixing the code style for the file, just to revert it once
again when merging upwards.
Remove the check for these older branches. They are only touched for bug fixes
and the style will need to be adapted when merging into 5.4.
Alexander Ebert [Fri, 21 Jan 2022 12:48:46 +0000 (13:48 +0100)]
Release 5.3.18
Alexander Ebert [Fri, 21 Jan 2022 12:47:22 +0000 (13:47 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Fri, 21 Jan 2022 12:30:34 +0000 (13:30 +0100)]
Release 5.2.18
Tim Düsterhus [Thu, 20 Jan 2022 10:50:19 +0000 (11:50 +0100)]
Stop using `|encodeJSON`
(cherry picked from commit
ab1e34de9ca94dc44b20d0b4d58eca2bad80d9d3)
Alexander Ebert [Fri, 21 Jan 2022 12:27:41 +0000 (13:27 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Fri, 21 Jan 2022 12:06:52 +0000 (13:06 +0100)]
Release 3.1.26
Tim Düsterhus [Thu, 20 Jan 2022 10:50:47 +0000 (11:50 +0100)]
Add missing JSON encoding of the PAGE_TITLE in `ampArticle.tpl`
This does not need to be fixed in any current branch, because the broken-ness
of `|encodeJSON` will result in broken metadata one way or another.
(cherry picked from commit
bba7f1706e30761e55954a5a4be569e5bb55a6c4)
Tim Düsterhus [Thu, 20 Jan 2022 10:50:19 +0000 (11:50 +0100)]
Stop using `|encodeJSON`
(cherry picked from commit
ab1e34de9ca94dc44b20d0b4d58eca2bad80d9d3)
Tim Düsterhus [Thu, 20 Jan 2022 10:48:16 +0000 (11:48 +0100)]
Add `|json` template modifier
(cherry picked from commit
e178fa84dc06861c5aba3d14e03161c5396fe9a7)
Alexander Ebert [Wed, 19 Jan 2022 13:10:10 +0000 (14:10 +0100)]
Release 5.3.17
Alexander Ebert [Wed, 19 Jan 2022 13:00:57 +0000 (14:00 +0100)]
Merge branch '5.2' into 5.3
Alexander Ebert [Wed, 19 Jan 2022 12:55:01 +0000 (13:55 +0100)]
Release 5.2.17
Alexander Ebert [Wed, 19 Jan 2022 12:50:25 +0000 (13:50 +0100)]
Merge branch '3.1' into 5.2
Alexander Ebert [Wed, 19 Jan 2022 12:46:00 +0000 (13:46 +0100)]
Release 3.1.25
Tim Düsterhus [Wed, 19 Jan 2022 12:29:21 +0000 (13:29 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Wed, 19 Jan 2022 12:29:10 +0000 (13:29 +0100)]
Merge branch '3.1' into 5.2