b25770a2f0
Merge branch 'master' into storageareas
2019-02-13 11:52:31 -05:00
d0745da11c
fix path to Control.php
2019-02-13 11:52:16 -05:00
dd641793a2
Merge branch 'improve_session' into storageareas
2019-02-13 11:17:30 -05:00
91a280e56e
need to include session.php in auth.php
2019-02-13 11:17:15 -05:00
a3374aa26c
Merge branch 'reload_zmfilter_on_filter_save' into storageareas
2019-02-11 13:26:53 -05:00
5695be9f32
rough in a control function in Filter object. Use it to start/stop zmfilter processes when filters are deleted or Saved.
2019-02-11 13:21:00 -05:00
cdbd59f054
bandwidth.php: Submit to the 'bandwidth' view but render the 'none' view. Fixes #2493
2019-02-10 13:22:08 -08:00
555cb4780d
Merge branch 'master' into storageareas
2019-02-10 12:37:45 -05:00
a6ee79f428
Fix typo in dbc1c7b72f comment
2019-02-09 22:40:39 -08:00
dbc1c7b72f
Only output the CSRF Try Again button (and add a warning) when ZM_LOG_DEBUG is on. Fixes #2469
2019-02-09 22:39:54 -08:00
a97711de89
Replace or sanitize remaining uses of PHP_SELF. Fixes #2446
2019-02-09 22:12:36 -08:00
effd609ff7
Escape output of state names. Fixes #2475
2019-02-09 20:40:08 -08:00
c9d597dced
logger.php: Don't output Panic messages unless debugging is on. Fixes #2460
2019-02-09 18:51:30 -08:00
6d2f3c265f
events.php: Remove inline event handlers and enforce CSP
2019-02-09 17:34:59 -08:00
fcbc22b6a2
functions.php: Ensure 'limit' request parameter is an integer. Fixes #2456
2019-02-09 17:27:47 -08:00
502f53fad0
functions.php: Fix SQLi in getFormChanges
2019-02-09 17:15:02 -08:00
254b7286b4
monitor.php: Escape SignalCheckColour to prevent XSS. Fixes #2451
2019-02-09 16:41:54 -08:00
b2a97ee190
frame.php: Fix multiple XSS from 'show' and 'scale' parameters and enforce CSP.
...
Fixes #2448 , fixes #2449 , and fixes #2447 .
2019-02-09 15:10:45 -08:00
c8066919ff
functions.php: Esacepe textContent in htmlOptions()
2019-02-09 14:14:46 -08:00
98e0a0d2c5
Don't output Fatal(...) error messages unless debugging is on to avoid leaking info. Fixes #2459
2019-02-09 02:18:57 -08:00
02f09aad7f
view=export: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2443
2019-02-09 02:01:26 -08:00
0b38e72f88
view=download: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2441
2019-02-09 01:16:32 -08:00
d33e094526
Merge branch 'master' into storageareas
2019-02-06 17:03:41 -05:00
8e62c93f5f
add to_json function to Storage.
2019-02-06 11:44:36 -05:00
d121ecab75
Merge branch 'improve_session' into storageareas
2019-02-05 15:48:42 -05:00
141f2afc8c
Merge branch 'master' into storageareas
2019-02-05 15:46:58 -05:00
21702dcc68
Merge branch 'master' into improve_session
2019-02-05 12:35:29 -05:00
c54fe7e89a
fix state actions
2019-02-05 12:35:06 -05:00
cb0d9325e6
Use session_regenerate_id instead of our broken code to do the same
2019-02-05 11:45:09 -05:00
2466d765bf
If there is a username in the session, then we are logged in, but we need to load the user object from the db. We can't just trust it from the session. The user may have been deleted and having that data in the session can be a security risk. So load the user object on every request.
2019-02-05 11:44:45 -05:00
5a9083fe86
Remove redirect on line. We do it in javascript on postlogin view so that we can say logging in before switching to console
2019-02-05 11:40:58 -05:00
97e3a8178a
use session_regenerate_id instead of other strange code
2019-01-30 16:08:09 -05:00
b09a71d0e2
code style
2019-01-30 16:06:16 -05:00
71f961d012
remove redirect to console on login, as it is done in javascript after Logging in message is displayed
2019-01-30 16:05:51 -05:00
4e10e6f0ae
Merge branch 'improve_session' into storageareas
2019-01-30 15:26:37 -05:00
9a3aa49bae
Merge branch 'fix_bandwidth' into storageareas
2019-01-30 15:18:16 -05:00
533d021dea
Merge branch 'master' into storageareas
2019-01-30 15:17:27 -05:00
604dbf8776
fix state changing/etc
2019-01-30 14:36:46 -05:00
2e2404643f
Fix bandwidth due to new actions code. Update buttons on bandwidth popup
2019-01-30 13:20:24 -05:00
cc0b5e0f1f
Move is_session_open to session.php. Move code to clear a session into session.php
2019-01-30 12:52:01 -05:00
0eba430932
remove duplicate line
2019-01-30 11:05:43 -05:00
85bb70df68
Use zm specific session functions, which are now located in includes/session.php. Be more agressive about clearing session on logout.
2019-01-30 11:05:19 -05:00
8c5687ca30
Fix name/protocol XSS in controlcaps.php. Fixes #2445 ( #2479 )
2019-01-25 08:35:07 -05:00
fd6179d7c8
Enforce CSP on many more views ( #2480 )
2019-01-25 08:34:29 -05:00
47d8c9b066
plugin.php: Remove undefined onclick function reference and enforce CSP
...
Also fix tag closing.
2019-01-23 19:47:58 -08:00
6eb4d7ae27
Filter improvements ( #2438 )
...
* Put back code to close the popup when view is none
* clean up and reduce depth of some logic
* Increase width of user popup
* fix code style
* Make execute_filter work on a filter Id instead of name
* rework logic to reduce code depth. Change view to events to display the results of execute.
* Change the redirect to stay on the new view. When redirecting from executing a filter, it was redirecting to filter.
* Set a form action for correctness. Change execute button to a button instead of a submit. Stay on the filter view when executing
2019-01-23 11:30:51 -05:00
cc8de69eba
Merge branch 'master' into storageareas
2019-01-22 11:44:42 -05:00
ae703c45ee
Set closePopup=true so that we don't need code in the none view to close the popup. The common code in skin.js will take care of it.
2019-01-22 09:14:33 -05:00
0619a4a161
Validate cnj, obr, and cbr arguments in parseFilter ( #2434 )
2019-01-22 08:03:25 -05:00
7260f823cb
Merge branch 'master' into storageareas
2019-01-21 13:52:38 -05:00
Isaac Connor
Matthew Noorenberghe
Isaac Connor