Friendica/friendica-github
1
0
Fork 0
mirror of https://github.com/friendica/friendica synced 2025-05-10 12:24:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Fix several vulnerabilities (#13927)

Browse source 
* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event
This commit is contained in:
Hypolite Petovan 2024-02-22 00:53:52 -05:00 committed by GitHub
parent fc3898fe64
commit 5c5d7eb04f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 26 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/Module/BaseAdmin.php
View file

@ -104,7 +104,7 @@ abstract class BaseAdmin extends BaseModule
'logsview' => ['admin/logs/view' , DI::l10n()->t('View Logs') , 'viewlogs'],
]],
'diagnostics' => [DI::l10n()->t('Diagnostics'), [
'phpinfo' => ['admin/phpinfo' , DI::l10n()->t('PHP Info') , 'phpinfo'],
'phpinfo' => ['admin/phpinfo?t=' . self::getFormSecurityToken('phpinfo'), DI::l10n()->t('PHP Info') , 'phpinfo'],
'probe' => ['probe' , DI::l10n()->t('probe address') , 'probe'],
'webfinger' => ['webfinger' , DI::l10n()->t('check webfinger') , 'webfinger'],
'babel' => ['babel' , DI::l10n()->t('Babel') , 'babel'],