fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-08 19:21:40 +09:00
Code Issues Projects Releases Packages Wiki Activity
16769 commits 3 branches 212 tags 117 MiB
Commit graph

1824 commits

Author SHA1 Message Date
Kijin Sung
beee2165fb Update session class to use getDefaultDomainInfo() for SSO 2017-03-13 11:35:37 +09:00
Kijin Sung
4257edf7fa Implement saving favicon, mobicon, and default image for domain 2017-03-12 22:55:57 +09:00
Kijin Sung
2e5ffa7dea Merge branch 'develop' into pr/multidomain 2017-03-08 20:12:15 +09:00
Kijin Sung
f23d52d94d Version 1.8.34 2017-03-08 19:32:18 +09:00
Kijin Sung
fc77980c39 Merge branch 'develop' into pr/multidomain 2017-03-07 15:43:25 +09:00
Kijin Sung
89255d0281 Initial implementation of CSRF token enforcement in Security class 2017-03-06 15:54:56 +09:00
Kijin Sung
b8569aa5ab Fix missing semicolon 2017-03-06 15:43:40 +09:00
Kijin Sung
11afa4db42 Add CSRF token to all dynamic forms 2017-03-06 15:37:18 +09:00
Kijin Sung
e82e3fb18c Implement isSameOrigin() to simplify origin determination 2017-03-06 15:11:45 +09:00
Kijin Sung
14300cbcc3 Insert CSRF token into every AJAX request 2017-03-06 14:47:42 +09:00
Kijin Sung
6afa7b3255 Merge branch 'develop' into pr/csrf-token 2017-03-06 14:34:35 +09:00
Kijin Sung
ef202542c1 Version 1.8.33 2017-03-06 14:11:41 +09:00
Kijin Sung
701f4b5e07 Prevent loading the autoloder more than once 2017-03-06 14:11:30 +09:00
Kijin Sung
b3fb993f73 Insert CSRF token in all AJAX requests via exec_xml(), exec_json(), exec_html() 
일단 공식적으로 지원하는 AJAX 함수 3종에 CSRF 토큰을 삽입해 본다.
추후 체크 방식을 변경하거나 보안을 더욱 강화할 경우 X-CSRF-Token 헤더와 비교할 수도 있다.
일반 폼 제출이나 임의의 AJAX 요청에도 CSRF 토큰을 삽입하는 것은 다음 커밋에...
 2017-03-06 11:51:38 +09:00
Kijin Sung
e2511a0269 Insert CSRF token using meta tag in common_layout.html 
<body> 태그의 속성이나 그 밖의 태그를 사용하지 않는 이유는
<body>가 로딩되기 전에 먼저 AJAX 요청을 시도하는 서드파티 자료가 있기 때문이다.
<head> 상단에 CSRF 토큰을 넣어야 이런 자료에서도 토큰이 누락되지 않는다.

다른 CSM나 프레임워크들도 <head> 상단에 <meta> 태그를 사용하여
CSRF 토큰을 삽입하는 사례가 많으며, csrf-token은 이런 용도로
WHATWG에 공식적으로 등록된 meta name이다.

cf. https://wiki.whatwg.org/wiki/MetaExtensions
 2017-03-06 11:46:37 +09:00
Kijin Sung
a0f2388842 Add Session::getGenericToken() for general-purpose token handling 2017-03-06 11:24:09 +09:00
Kijin Sung
387dd1f78b Fix #741 do not allow empty HTML content in document and comment 2017-03-06 10:50:06 +09:00
Kijin Sung
5bd5044126 Improve referer checks in Session::checkSSO() 2017-03-04 22:15:46 +09:00
Kijin Sung
af7309b807 Consistently use new domain system for URL::isInternalUrl() and checkCSRF() 2017-03-04 22:09:45 +09:00
Kijin Sung
8cf3d7b520 Update SSO mechanism to use new domain system 2017-03-04 22:05:16 +09:00
Kijin Sung
8d53304e71 Merge branch 'develop' into pr/multidomain 2017-03-04 16:12:31 +09:00
Kijin Sung
cf01038ce6 Refresh member info when setSessionInfo() is called 2017-03-03 01:05:13 +09:00
Kijin Sung
210b6b4147 Merge branch 'develop' into pr/multidomain 2017-03-01 21:50:51 +09:00
MinSoo Kim
76aebe0653 Clean up description page codes... We need translators.. 2017-03-01 20:05:59 +09:00
MinSoo Kim
fe1076795d SSL 인증서에 대한 설명 강화, 추천 설정 표시 
https://github.com/rhymix/rhymix/issues/706 관련
 2017-02-28 22:22:46 +09:00
Kijin Sung
0fb30425a0 Version 1.8.32 2017-02-27 16:30:08 +09:00
Kijin Sung
ca24533ad9 Update recommended nginx configuration 2017-02-27 16:26:11 +09:00
Kijin Sung
aa879e7326 Improve HTMLFilter handling of editor component properties 2017-02-25 17:37:58 +09:00
Kijin Sung
24c29cfbdb Version 1.8.31 2017-02-25 15:35:16 +09:00
Kijin Sung
1974f21482 Version 1.8.30 2017-02-23 16:11:06 +09:00
Kijin Sung
8ad6f40abd Enable ztime() function to process Unix timestamps 2017-02-22 20:20:55 +09:00
Kijin Sung
fdf568bbb2 Update URL::isInternalURL() 2017-02-20 21:53:00 +09:00
Kijin Sung
aae4d884c1 Add homepage (CafeXE) module to blacklist 2017-02-20 21:23:31 +09:00
Kijin Sung
fbe47e0610 Remove temporary list of override domains in Session class 2017-02-18 22:57:39 +09:00
Kijin Sung
a305745aa5 Automatically insert video when iframe source is pasted into editor 2017-02-18 17:04:07 +09:00
Kijin Sung
cbc0197be6 Fix data-file-srl attribute being deleted by HTMLFilter 2017-02-17 21:45:03 +09:00
Kijin Sung
5c8a41a655 Fix PHP warning 2017-02-17 21:38:03 +09:00
Kijin Sung
2582ef2100 More thoroughly delete conflicting cookies 2017-02-17 21:09:57 +09:00
Kijin Sung
64f0d5cb45 Remove Android Chrome from buggy user-agent list 2017-02-17 20:24:13 +09:00
Kijin Sung
51acad706e Remove unnecessary regex replacement 2017-02-17 20:15:56 +09:00
Kijin Sung
50410ec482 Delete conflicting wildcard cookies from subdomain 2017-02-17 19:44:01 +09:00
Kijin Sung
780034d4ee Do not explicitly set the domain for session cookies 2017-02-17 19:33:05 +09:00
Kijin Sung
0801c1283e Merge pull request #719 from kijin/pr/ckeditor-update 
CKEditor 최신 버전으로 업데이트
 2017-02-16 16:38:12 +09:00
Kijin Sung
cbae2c374e Use meta refresh instead of 302 redirect on new session 
Attempting to fix missing session cookie in some versions of Android webview and Chrome.
This may or may not be of any use, but why not try?

See https://bugs.chromium.org/p/chromium/issues/detail?id=150066
 2017-02-16 11:53:27 +09:00
Kijin Sung
e17c4b9c38 Update CKEditor to 4.6.2 2017-02-16 01:17:15 +09:00
Kijin Sung
6b0dd6c192 Standardize password hashing work factor to 10 by default 2017-02-15 11:34:39 +09:00
Kijin Sung
45bde4d1f0 Set session.use_keys to false by default 2017-02-15 11:30:49 +09:00
Kijin Sung
b43c653186 Add options to control session keys and SSL-only attribute 2017-02-14 13:37:30 +09:00
Kijin Sung
dea757cfb7 Do not refresh session keys over POST 2017-02-13 17:49:27 +09:00
Kijin Sung
a6fee16b68 Extend detection of buggy user agents that cannot handle session keys 2017-02-13 17:28:04 +09:00