nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-01-27 00:33:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,671 Commits 11 Branches 58 Tags 14 MiB
Commit Graph

73 Commits

Author SHA1 Message Date
Florian Schlichting
55d485045f release 1.1.9.3 2020-04-13 22:43:07 +02:00
Florian Schlichting
699d077834 release 1.1.9.2: also check CSRF token in collection-edit.php 2019-12-12 00:25:20 +08:00
Florian Schlichting
e2c6b927c8 HTTP_REFERER will usually be unset for caldav requests, prevent "Undefined index" warnings 2019-12-06 18:17:18 +08:00
Jim Fenton
a3acb770ac release 1.1.9.1: fix XSS function lost in rebuild of always.php 2019-12-03 16:35:08 -08:00
Jim Fenton
e2070c9b7a release 1.1.9 2019-12-03 15:10:05 -08:00
nielsvangijzen
86a8ec5302 Added CSRF to the application (took in account backwards compatibility) 
Mitigated the XSS vulnerabilities reported by HackDefense
Advisories for said vulnerabilities can be found here:
https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability
https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability
https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability
 2019-10-28 11:55:11 +01:00
Florian Schlichting
4af9595f4d release 1.1.8 2019-01-30 22:53:08 +01:00
“Paul
c5891abc7f Introduce new global variable to control maximum size of carddav resources. 2018-08-30 17:23:12 +02:00
Florian Schlichting
05397d635c release 1.1.6 2018-01-12 00:15:36 +01:00
Florian Schlichting
eba26021c7 update doc and fix a warning 2018-01-08 22:43:27 +01:00
Florian Schlichting
3ba605288f release 1.1.6 2017-10-25 11:48:43 +02:00
Florian Schlichting
4410d7e94a dont put caldav.php in special URLs 2017-09-19 21:23:06 +02:00
Florian Schlichting
bbea62d288 Merge branch 'server-array-upper' into 'master' 
Convert array keys for $_SERVER to uppercase

See merge request !38
 2017-04-24 21:59:08 +00:00
Jan Losinski
e97c9674e9 Convert array keys for $_SERVER to uppercase 
It seems to be the case, that array indicies in $_SERVER are always
uppercase. Sadly I could not find any documentation of this but at
least with mod_php it is the case. Also a extensive search on github
projects seems to support this thesis.

On my installation the 'X-FORWARDED-PROTO' is even then uppercase when
its mixed case in the Header provided by the reverse proxy.

Signed-off-by: Jan Losinski <losinski@wh2.tu-dresden.de>
 2017-04-13 03:00:36 +02:00
Florian Schlichting
06e20e5508 dont send early exceptions to the client only, leave a trace in the error log too 2017-04-08 16:43:21 +02:00
Florian Schlichting
4f72fdfea1 Bump davical version to 1.1.5, DB is at 1.3.2 2017-01-23 23:02:56 +01:00
Florian Schlichting
93bd6073b1 creating a DAVResource from "/ " loops a lot 2017-01-11 00:10:33 +01:00
Florian Schlichting
2c0c65d08a add optional support for X-Forwarded-Proto etc (closes: #87) 
Modify the relevant $_SERVER variables directly, as we're using them in
various places in davical and awl.
 2017-01-06 16:06:11 +01:00
Florian Schlichting
eb7f2edc0c eliminate trailing whitespace, expand tabs 2016-12-30 08:52:44 +01:00
Florian Schlichting
0901fd2756 Remove remaining references to $c->local_tzid (fixes #35) 2016-12-02 00:24:53 +01:00
Florian Schlichting
86447e31fe Set the same default timezone to Database and PHP 2016-12-01 19:17:22 +01:00
Andrew McMillan
b85f8e79fe Fail better! 
There's a long-standing annoyance about catching errors in the early
stages of startup - sometimes they seem to disappear nowhere and yet
nothing works.  This fixes at least part of that.
 2016-06-22 23:26:24 +01:00
Florian Schlichting
0281a8d619 adapt to AWL function rename get_fields() -> awl_get_fields() 2016-06-13 22:02:47 +02:00
Florian Schlichting
af1707ef1d prepare for 1.1.4 2016-01-03 19:09:56 +01:00
Jim Fenton
b95eade0b9 Update required version of AWL to 0.56 2015-12-10 14:04:01 -08:00
Florian Schlichting
cbe63d3182 release 1.1.3.1, fixing a critical typo in htdocs/always.php :-( 2014-10-07 08:48:19 +02:00
Florian Schlichting
37e814c647 release 1.1.3 2014-10-07 00:58:47 +02:00
Andrew McMillan
d0fffe490a Set the default timezone to the database as well as for PHP. 2013-09-26 14:24:08 +02:00
Andrew McMillan
cc8e6a0131 Release 1.1.2 2013-07-15 13:12:05 +12:00
Andrew McMillan
7e51fa8541 Release 1.1.1 2012-07-11 08:39:11 +12:00
Andrew McMillan
0d47b81e48 Remove bug trace. 2012-07-09 01:16:46 +12:00
Andrew McMillan
2f82e69cfb Correctly test for repeated caldav.php in URL. 2012-07-08 11:58:58 +12:00
Andrew McMillan
55aefbecce Try to trace how we get caldav.php/ doubled in a path. 2012-06-30 16:03:25 +12:00
Andrew McMillan
2538835a12 Seems that change to output buffer flushing is problematic with zlib. 2012-06-14 13:36:15 +12:00
Andrew McMillan
46addb00fd Fix some final niggles with setup.php and spurious logged errors. 2012-05-30 23:04:10 +12:00
Andrew McMillan
cf934f8a90 Release 1.1.0 2012-05-28 21:27:15 +12:00
Andrew McMillan
724a549502 Fix thinko. 2012-05-14 22:26:17 +12:00
Andrew McMillan
47363b4f41 We should error 500 when we have an exception that isn't caught. 2012-05-14 20:54:43 +12:00
Andrew McMillan
7f60277b83 Always default the timezone to something, even if the user did not. 2012-05-03 15:42:28 +12:00
Andrew McMillan
9ee6f37d77 Make it possible to see output from /setup.php when DB is unavailable. 
Also depends on some changes to AwlDbDialect/AwlQuery.
 2012-04-22 10:01:40 +12:00
Andrew McMillan
3afa91be85 Don't try and initialize gettext unless it's installed. 2012-04-18 16:46:32 +12:00
Andrew McMillan
f68823a5b2 Get rid of potential warning on early use of date() 2012-03-22 15:00:29 +13:00
Andrew McMillan
655f34aa27 Correct HTTP date formatting function. 2012-03-16 16:44:59 +13:00
Andrew McMillan
8d4dfb5d91 Handle HTTP date formatting for non-english locales (force English names). 2012-03-12 13:02:11 +13:00
Andrew McMillan
927a98482f Release 1.0.2 2012-01-14 10:46:56 +13:00
Andrew McMillan
067cbdc841 Release 1.0.1 2012-01-05 12:30:52 +13:00
Andrew McMillan
70f6587a18 Release 1.0.0 2012-01-04 16:48:45 +13:00
Andrew McMillan
b50b2d82ea Force output buffers to be flushed, if they're turned on. 
If output buffering is turned on, PHP can be a bit slack about sending
the data to the client before closing the connection with exit(). These
changes ensure we call ob_flush() before we leave.  We call @ob_flush()
so we don't get noisy warnings when output buffering is off...
 2011-11-02 18:43:10 +13:00
Andrew McMillan
bb8bf75e8f Release 0.9.9.7 2011-10-24 20:27:43 +13:00
Andrew McMillan
2127c294a3 Various small fixes preparing for release. 
Correct logic for auto-creating addressbook for new user.
Fix non-creation of default addressbook.
Fix principal/collection edit to allow write of no privileges.
Fix collection edit timezone list to use new table.
Update davical & libawl version in always.php.
Regression test changes with update to davical.sql.
 2011-09-25 22:29:31 +13:00