git.mxchange.org Git - friendica.git/commit

author	Hypolite Petovan <hypolite@mrpetovan.com>
	Thu, 22 Feb 2024 05:53:52 +0000 (00:53 -0500)
committer	GitHub <noreply@github.com>
	Thu, 22 Feb 2024 05:53:52 +0000 (06:53 +0100)
commit	5c5d7eb04fbacbe5987bd83022b158e095d13f13
tree	199a9faf99ff41cf1008dfcc0ae23027357220cb	tree \| snapshot
parent	fc3898fe6473e46f07de2f7e3a398a395f275f23	commit \| diff

Fix several vulnerabilities (#13927)

* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event

src/Model/Event.php		diff \| blob \| history
src/Module/Admin/PhpInfo.php		diff \| blob \| history
src/Module/Attach.php		diff \| blob \| history
src/Module/BaseAdmin.php		diff \| blob \| history
src/Module/Calendar/Event/API.php		diff \| blob \| history
src/Module/Debug/Babel.php		diff \| blob \| history
view/templates/babel.tpl		diff \| blob \| history
view/theme/frio/templates/event_stream_item.tpl		diff \| blob \| history