Miguel Dantas [Tue, 25 Jun 2019 22:20:17 +0000 (23:20 +0100)]
[CORE] Attachments and thumbnails aren't accessed directly by the file under the file storage folder, but indirectly from PHP, so that access to the file folder can be blocked in the server config
Miguel Dantas [Tue, 11 Jun 2019 01:42:33 +0000 (02:42 +0100)]
[MEDIA] File downloader now in PHP, added proper name in the UI and changed the format for new attachment file names
The file downloader was changed from a simple redirect to the file to one
implemented in PHP, which should make it safer, by making it possible disallow
direct access to the file, to prevent executing of atttachments
The filename has a new format:
bin2hex("{$original_name}")."-{$filehash}"
This format should be respected. Notice the dash, which is important to distinguish it from the previous
format, which was "{$hash}.{$ext}"
This change was made to both make the experience more user friendly, by
providing a readable name for files, as opposed to it's hash. This name is taken
from the upload filename, but, clearly, as this wasn't done before, it's
impossible to have a proper name for older files, so those are displayed as
"untitled.{$ext}".
This new name is displayed in the UI, instead of the previous name.
Diogo Cordeiro [Sat, 22 Jun 2019 17:57:43 +0000 (18:57 +0100)]
[CORE] Use random_bytes() if available and improve common_confirmation_code() randomness.
With PHP 7 comes the [random_bytes()](https://php.net/manual/en/function.random-bytes.php) and the [random_int()](https://www.php.net/manual/en/function.random-int.php) function which generates cryptographically secure pseudo-random bytes and integers, respectively.
[CORE] Fix wrong Profile_list schema and set created in user_im_prefs properly - by XRevan86
This reverts 496ab8c9, which was a bad correction of user_im_prefs values
Diogo Cordeiro [Mon, 10 Jun 2019 13:55:38 +0000 (14:55 +0100)]
[OpenID] s/sync/synch
This commit also fixes the translation in /plugins/OpenID/actions/finishopenidlogin.php#L203-L204 (s/Syncronize/Synchronize)
Sync is a bad technical jargon and we should use Synch instead.
Synch is already used in other parts of GNU social as seen in plugins/TwitterBridge/classes/Twitter_synch_status.php
Miguel Dantas [Fri, 7 Jun 2019 13:08:27 +0000 (14:08 +0100)]
[MEDIA] ImageFile now extends MediaFile and validates images more aggressively.
Default supported files need to use consistent names. Bumped version to 1.20.0
ImageFile has been changed to extend MediaFile and rely on it to partially
validate files. This validation has been extended to not rely solely on
Fileinfo, as it is disabled on some places. Now it'll try to use the shell
command `file`, if Fileinfo isn't available.
ImageFile now converts every new upload to PNG, except JPEG and GIF, which
are kept, but still resized (to the same size), to remove possible scripts
embedded therein.
MediaFile::fromUpload will return an ImageFile if the uploaded file is an image
or a MediaFile otherwise.
MediaFile can be constructed with an id with value -1 to denote a temporary
object, which is not added to the DB. This is useful to create a temporary
object for representing images, so it can be used to rescale them.
The supported attachment array needs to be populated with the result of calling
`image_type_to_extension` for the appropriate image type, in the case of images.
This is important so all parts of the code see the same extension for each image
type (jpg vs jpeg).
Added documentation to classes/File.php and to lib/MediaFile and lib/ImageFile
brunoccast [Sun, 9 Jun 2019 17:01:55 +0000 (18:01 +0100)]
[THEME] Fix OpenID settings styles
- Action buttons are now side-by-side
- Dropped unused style rule concerning the solo-positioning of the Remove button
- Bump GS patch version
Versioning:
- Bump OpenID minor version
- Bump GS patch version
Why would have labeling the Synchronize button of Sync been of bad taste? - answered by XRevan86:
In "synchronise" "ch" is a digraph meaning /k/ (actually /x/ turned into /k/ in English but whatever).
So… not separate letters.
It's like "ph" in "alphabet", or "sh" in "sheep", or "ch" in "chop" -- "ch" can mean a whole variety of sounds.
Diogo Cordeiro [Wed, 5 Jun 2019 21:59:54 +0000 (22:59 +0100)]
[NGINX conf] Move /var/run to /run
As seen in https://lists.fedoraproject.org/pipermail/devel/2011-March/150031.html
Thanks to XRevan86 for reporting this :)
Diogo Cordeiro [Mon, 3 Jun 2019 00:56:52 +0000 (01:56 +0100)]
[VersionBump] 1.19.0, fairly late
The core plugins whose version was attached to GS's were reseted to 2.0.0.
2.0.0 was chosen as reset version for plugins because it is higher than
the one that was set by inheriting GS version. Furthermore, it's a
major change from prior plugin versioning system thus it also makes
semantic sense.
Diogo Cordeiro [Sat, 11 May 2019 20:20:09 +0000 (21:20 +0100)]
[SESSION] Increase type strictness for full PHP adherence
Documented this file (adapted from maiyannah's postActiv doc)
This commit also fixes PHP Warning: session_write_close(): Session callback expects true/false return value in classes/Session.php on line 289 (spoted by XRevan86)
Observation: In a newer release we will be replacing this kind of castings with actual explicit PHP7 return types