[CORE] Move public resources to a /public directory
Advantages:
* Increases security by preventing direct access to file/
* We are careful and have a defined('GNUSOCIAL') || die() to prevent
direct access to GS files, but we may miss one or a vendor/extlib may
not be as careful
* Improves directory structure - It's more natural to physically
separate what is public from what are GNU social resources
Diogo Cordeiro [Mon, 12 Mar 2018 03:23:55 +0000 (21:23 -0600)]
[CORE][COMPOSER] Move extlib packages with immediate composer correspondent to composer dependencies
This adds a composer.json for all dependencies that are available
Miguel Dantas [Sat, 29 Jun 2019 19:10:20 +0000 (20:10 +0100)]
[MEDIA][OEMBED] Fixed regression in OEmbed, because it relied on accessing the files directly, which previous commits broke. The File table really should have a bool...
Miguel Dantas [Fri, 28 Jun 2019 00:44:51 +0000 (01:44 +0100)]
[OEMBED][UI] Skip adding an image thumbnail for oembed results if we
don't have a file locally to generate it, which can happen, for
instance, if StoreRemoteMedia is disabled
Miguel Dantas [Wed, 26 Jun 2019 02:27:51 +0000 (03:27 +0100)]
[CORE][UI] Made attachment actions and its subactions be able to identify attachments by id and by filehash. Changed the url stored in the DB to be attachment//view
Miguel Dantas [Wed, 26 Jun 2019 00:54:55 +0000 (01:54 +0100)]
[CORE][UI][ROUTER] Added view action, which inlines images and videos but downloads everything else. Fixed File url to get an URL fromthe view action, so when a making a remote notice, the correct URL is used, not accessing directly to the file
Miguel Dantas [Tue, 25 Jun 2019 22:20:17 +0000 (23:20 +0100)]
[CORE] Attachments and thumbnails aren't accessed directly by the file under the file storage folder, but indirectly from PHP, so that access to the file folder can be blocked in the server config
Miguel Dantas [Tue, 11 Jun 2019 01:42:33 +0000 (02:42 +0100)]
[MEDIA] File downloader now in PHP, added proper name in the UI and changed the format for new attachment file names
The file downloader was changed from a simple redirect to the file to one
implemented in PHP, which should make it safer, by making it possible disallow
direct access to the file, to prevent executing of atttachments
The filename has a new format:
bin2hex("{$original_name}")."-{$filehash}"
This format should be respected. Notice the dash, which is important to distinguish it from the previous
format, which was "{$hash}.{$ext}"
This change was made to both make the experience more user friendly, by
providing a readable name for files, as opposed to it's hash. This name is taken
from the upload filename, but, clearly, as this wasn't done before, it's
impossible to have a proper name for older files, so those are displayed as
"untitled.{$ext}".
This new name is displayed in the UI, instead of the previous name.
Diogo Cordeiro [Sat, 22 Jun 2019 17:57:43 +0000 (18:57 +0100)]
[CORE] Use random_bytes() if available and improve common_confirmation_code() randomness.
With PHP 7 comes the [random_bytes()](https://php.net/manual/en/function.random-bytes.php) and the [random_int()](https://www.php.net/manual/en/function.random-int.php) function which generates cryptographically secure pseudo-random bytes and integers, respectively.
[CORE] Fix wrong Profile_list schema and set created in user_im_prefs properly - by XRevan86
This reverts 496ab8c9, which was a bad correction of user_im_prefs values
Diogo Cordeiro [Mon, 10 Jun 2019 13:55:38 +0000 (14:55 +0100)]
[OpenID] s/sync/synch
This commit also fixes the translation in /plugins/OpenID/actions/finishopenidlogin.php#L203-L204 (s/Syncronize/Synchronize)
Sync is a bad technical jargon and we should use Synch instead.
Synch is already used in other parts of GNU social as seen in plugins/TwitterBridge/classes/Twitter_synch_status.php
Miguel Dantas [Fri, 7 Jun 2019 13:08:27 +0000 (14:08 +0100)]
[MEDIA] ImageFile now extends MediaFile and validates images more aggressively.
Default supported files need to use consistent names. Bumped version to 1.20.0
ImageFile has been changed to extend MediaFile and rely on it to partially
validate files. This validation has been extended to not rely solely on
Fileinfo, as it is disabled on some places. Now it'll try to use the shell
command `file`, if Fileinfo isn't available.
ImageFile now converts every new upload to PNG, except JPEG and GIF, which
are kept, but still resized (to the same size), to remove possible scripts
embedded therein.
MediaFile::fromUpload will return an ImageFile if the uploaded file is an image
or a MediaFile otherwise.
MediaFile can be constructed with an id with value -1 to denote a temporary
object, which is not added to the DB. This is useful to create a temporary
object for representing images, so it can be used to rescale them.
The supported attachment array needs to be populated with the result of calling
`image_type_to_extension` for the appropriate image type, in the case of images.
This is important so all parts of the code see the same extension for each image
type (jpg vs jpeg).
Added documentation to classes/File.php and to lib/MediaFile and lib/ImageFile
brunoccast [Sun, 9 Jun 2019 17:01:55 +0000 (18:01 +0100)]
[THEME] Fix OpenID settings styles
- Action buttons are now side-by-side
- Dropped unused style rule concerning the solo-positioning of the Remove button
- Bump GS patch version
Versioning:
- Bump OpenID minor version
- Bump GS patch version
Why would have labeling the Synchronize button of Sync been of bad taste? - answered by XRevan86:
In "synchronise" "ch" is a digraph meaning /k/ (actually /x/ turned into /k/ in English but whatever).
So… not separate letters.
It's like "ph" in "alphabet", or "sh" in "sheep", or "ch" in "chop" -- "ch" can mean a whole variety of sounds.
Diogo Cordeiro [Wed, 5 Jun 2019 21:59:54 +0000 (22:59 +0100)]
[NGINX conf] Move /var/run to /run
As seen in https://lists.fedoraproject.org/pipermail/devel/2011-March/150031.html
Thanks to XRevan86 for reporting this :)