mirror of
https://gitlab.com/davical-project/davical.git
synced 2026-05-25 02:34:17 +00:00
release 1.1.9
This commit is contained in:
Jim Fenton
parent
072207e1c8
commit
e2070c9b7a
5
CREDITS
5
CREDITS
@ -29,8 +29,10 @@ Benoît Bleuzé <benoit.bleuze@gmail.com>
|
||||
Christian Kier <kier@isip.uni-luebeck.de>
|
||||
Christoph Anton Mitterer <calestyo@scientia.net>
|
||||
CSchulz <christian@schulz.re>
|
||||
Cyprian Guerra <cyprian.guerra@gmail.com>
|
||||
Cyril Giraud <cgiraud@free.fr>
|
||||
Daniel Aleksandersen <code@daniel.priv.no>
|
||||
Danny de Weille <info@hackdefense.com>
|
||||
DAViCal Administrator <davical@fry.dotcal.com>
|
||||
Dávid Takács <david.takacs@cafeopen.eu>
|
||||
Émile Morel <emorel@quarkslab.com>
|
||||
@ -61,7 +63,9 @@ Matthias Beyer <matthias@ib-fb.de>
|
||||
Matthias Mohr <Matthias@Mohrenclan.de>
|
||||
Maxime Delorme <mdelorme@tennaxia.com>
|
||||
Michael Trausch <mike@trausch.us>
|
||||
Milan Crha <mcrha@redhat.com>
|
||||
Milan Medlik <milan@morphoss.com>
|
||||
Niels van Gijzen <n.van.gijzen@gmail.com>
|
||||
Nishanth Aravamudan <nish.aravamudan@canonical.com>
|
||||
Nomad Arton <pch13@myzel.net>
|
||||
Patrick Näf Moser <patrick@moser-naef.ch>
|
||||
@ -71,6 +75,7 @@ Peter Schaefer-Hutter <pschaefer@users.sourceforge.net>
|
||||
Philipp Matthias Hahn <pmhahn@pmhahn.de>
|
||||
Pierre Giraud <pierre.giraud@dalibo.com>
|
||||
Raphael Hertzog <debian@mcmillan.net.nz>
|
||||
Rick Verdoes <info@hackdefense.com>
|
||||
Rik Theys <Rik.Theys@esat.kuleuven.be>
|
||||
Rob Ostensen <caveman+davical@caveman.name>
|
||||
Sarenet S.A.U Egoitz Aurrekoetxea <egoitz@sarenet.es>
|
||||
|
||||
31
ChangeLog
31
ChangeLog
@ -1,3 +1,34 @@
|
||||
2019-11-29 Niels van Gijzen <niels.van.gijzen@gmail.com>
|
||||
* Correct reflected cross-site scripting (XSS) vulnerability
|
||||
* Correct persistent XSS vulnerability in user/group/resource details
|
||||
* Correct persistent XSS vulnerability in user/group/resource list
|
||||
* Add token to address cross-site request forgery (CSRF) vulnerability
|
||||
|
||||
2019-11-26 Andrew Ruthven <puck@catalyst.net.nz>
|
||||
* More syntax errors with collection_id
|
||||
|
||||
2019-03-28 Cyprian Guerra <cyprian.guerra@gmail.com>
|
||||
* Fix syntax of collection_id parameter
|
||||
|
||||
2019-06-19 Milan Crha <mcrha@redhat.com>
|
||||
* Add missing 'break' to rrule.php
|
||||
|
||||
2019-03-11 Florian Schlichting <fsfs@debian.org>
|
||||
* More PHP curl message corrections
|
||||
|
||||
2019-03-06 Andrew Ruthven <puck@catalyst.net.nz>
|
||||
* Specify PHP curl, not PHP5
|
||||
|
||||
2019-03-05 Jamie McClymont <jamie.mcclymont@gmail.com>
|
||||
* Update minimum PHP version requirement
|
||||
|
||||
2019-02-27 Jamie McClymont <jamiemcclymont@catalyst.net.nz>
|
||||
* Make range-based calendar queries use the new first_instance_start/last_instance_end columns
|
||||
* Make calquery expansion aware of the calendar default timezone
|
||||
|
||||
2019-02-12 Florian Schlichting <fsfs@debian.org>
|
||||
* Fix more PHP7+ type hints for PHP5 compatibility (fixes #197)
|
||||
|
||||
2019-01-30 Florian Schlichting <fsfs@debian.org>
|
||||
* add users to new groups in the "update groups" step
|
||||
* honour do_not_sync_group_from_ldap when creating groups, correctly display all results
|
||||
|
||||
@ -8,47 +8,6 @@
|
||||
|
||||
if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location: index.php');
|
||||
|
||||
// XSS Protection
|
||||
function filter_post(&$val, $index) {
|
||||
if(in_array($index, ["newpass1", "newpass2"])) return;
|
||||
|
||||
switch (gettype($val)) {
|
||||
case "string":
|
||||
$val = htmlspecialchars($val);
|
||||
break;
|
||||
|
||||
case "array":
|
||||
array_walk_recursive($val, function(&$v) {
|
||||
if (gettype($v) == "string") {
|
||||
$v = htmlspecialchars($v);
|
||||
}
|
||||
});
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
function clean_get() {
|
||||
$temp = [];
|
||||
|
||||
foreach($_GET as $key => $value) {
|
||||
// XSS is possible in both key and values
|
||||
$k = htmlspecialchars($key);
|
||||
$v = htmlspecialchars($value);
|
||||
$temp[$k] = $v;
|
||||
}
|
||||
|
||||
return $temp;
|
||||
}
|
||||
|
||||
// Before anything else is executed we filter all the user input, a lot of code in this project
|
||||
// relies on variables that are easily manipulated by the user. These lines and functions filter all those variables.
|
||||
if(isset($_POST)) array_walk($_POST, 'filter_post');
|
||||
$_GET = clean_get();
|
||||
$_SERVER['REQUEST_URI'] = str_replace("&", "&", htmlspecialchars($_SERVER['REQUEST_URI']));
|
||||
$_SERVER['HTTP_REFERER'] = htmlspecialchars($_SERVER['HTTP_REFERER']);
|
||||
|
||||
|
||||
|
||||
// Ensure the configuration starts out as an empty object.
|
||||
$c = (object) array();
|
||||
$c->script_start_time = microtime(true);
|
||||
@ -287,7 +246,7 @@ if ( function_exists('awl_set_locale') ) {
|
||||
*/
|
||||
$c->code_version = 0;
|
||||
$c->want_awl_version = '0.60';
|
||||
$c->version_string = '1.1.8'; // The actual version # is replaced into that during the build /release process
|
||||
$c->version_string = '1.1.9'; // The actual version # is replaced into that during the build /release process
|
||||
if ( isset($c->version_string) && preg_match( '/(\d+)\.(\d+)\.(\d+)(.*)/', $c->version_string, $matches) ) {
|
||||
$c->code_major = $matches[1];
|
||||
$c->code_minor = $matches[2];
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user