268372dbbd
Merge pull request #6289 from wallabag/2.5/fix-csrf-user-deletion
...
Fix CSRF on user deletion
2023-02-07 21:52:51 +01:00
4e023bddc3
Merge pull request #6288 from wallabag/2.5/xss-username-share-page
...
Fix XSS on username on share page
2023-02-07 21:43:04 +01:00
acd285dcbb
Merge pull request #6290 from wallabag/2.5/fix-add-tag-other-entries
...
Fix adding tag to entries from other people
2023-02-07 21:42:46 +01:00
f1b3d5cdd7
Fix CSRF on user deletion
2023-02-07 21:41:52 +01:00
242e3feac9
Fix adding tag to entries from other people
...
I've also limited tag length to 20 chars (and limit adding more than 5 tags at once)
2023-02-07 21:25:57 +01:00
bd4c71682e
Fix XSS on username on share page
2023-02-07 19:58:06 +01:00
784bc1393c
Merge pull request #6275 from wallabag/2.x/fix-release-script
...
Fix release script
2023-02-06 10:13:57 +01:00
42b03d2834
Fix release script
...
The release script cloned the master branch by default because we never have to clone something else from now.
The script will now clone the tag using the given VERSION parameter.
2023-02-03 10:10:35 +01:00
8954100779
Merge pull request #6267 from wallabag/release/2.5.3
...
Prepare 2.5.3
2023-02-01 10:15:18 +01:00
b795622f06
Prepare 2.5.3
2023-02-01 09:51:02 +01:00
5ac6b6bff9
Merge pull request from GHSA-mrqx-mjc4-vfh3
...
AnnotationController: fix improper authorization vulnerability
2023-02-01 09:32:22 +01:00
0f7460dbab
Merge pull request from GHSA-qwx8-mxxx-mg96
...
ExportController: fix improper authorization vulnerability
2023-02-01 09:30:43 +01:00
3ed7f2b751
AnnotationController: fix improper authorization vulnerability
...
This PR is based on 2.5.x branch.
We fix the improper authorization by retrieving the annotation using id
and user id.
We also replace the ParamConverter used to get the requested Annotation
on put and delete actions with an explicit call to AnnotationRepository
in order to prevent a resource enumeration through response discrepancy.
Fixes GHSA-mrqx-mjc4-vfh3
Co-authored-by: Jeremy Benoist <jeremy.benoist@gmail.com >
Signed-off-by: Kevin Decherf <kevin@kdecherf.com >
2023-01-27 23:34:14 +01:00
0fdd9aa991
ExportController: fix improper authorization vulnerability
...
We fix the improper authorization by duplicating the check done by
the private method EntryController::checkUserAction().
We also replace the ParamConverter used to get the requested Entry with
an explicit call to EntryRepository in order to prevent a resource
enumeration through response discrepancy. Thus, we get the same
exception whether the requested resource does not exist or is not owned
by the requester.
Fixes GHSA-qwx8-mxxx-mg96
Signed-off-by: Kevin Decherf <kevin@kdecherf.com >
2023-01-20 15:09:38 +01:00
9e9aedee94
Merge pull request #6241 from wallabag/fix/2.5/update-deps
...
Update deps before 2.5.3
2023-01-16 10:26:47 +01:00
ea189503de
Fix tests
2023-01-16 10:21:37 +01:00
b50197664e
Update deps before 2.5.3
...
At least, site config will be up to date.
2023-01-16 10:07:06 +01:00
63b7b1c18f
Merge pull request #6026 from wallabag/release/2.5.2
2022-10-21 06:43:56 +02:00
7b2107d3bb
Prepare 2.5.2
2022-10-20 16:00:16 +02:00
14801e36d0
Merge pull request #6025 from weblate/weblate-wallabag-messages
2022-10-20 05:55:23 +02:00
08ce432cea
Translated using Weblate (Japanese)
...
Currently translated at 97.7% (565 of 578 strings)
2022-10-20 02:07:40 +02:00
809e41fe6b
Translated using Weblate (Japanese)
...
Currently translated at 100.0% (40 of 40 strings)
2022-10-20 02:07:39 +02:00
ce79140426
Merge pull request #5992 from wallabag/feature/download-svg-locally
...
Add support to download SVG locally
2022-10-18 11:38:31 +02:00
dc28d7ea0f
Add support to download SVG locally
2022-10-18 11:14:45 +02:00
3340262707
Merge pull request #6019 from yotamN/feature/domain-name-filter
...
Add `domain_name` to entries api endpoint
2022-10-17 21:54:05 +02:00
d4b0b62bb5
Fix unrelated failing test
...
LExpansion is down ATM.
Use a website which isn't down randomly.
2022-10-17 21:49:03 +02:00
7b150dcd26
Add tests
2022-10-17 21:37:08 +02:00
24ae1dbc95
Merge pull request #6023 from wallabag/dependabot/npm_and_yarn/postcss-8.4.18
...
Bump postcss from 8.4.17 to 8.4.18
2022-10-17 02:23:45 +00:00
3ddfe3315a
Bump postcss from 8.4.17 to 8.4.18
...
Bumps [postcss](https://github.com/postcss/postcss ) from 8.4.17 to 8.4.18.
- [Release notes](https://github.com/postcss/postcss/releases )
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md )
- [Commits](https://github.com/postcss/postcss/compare/8.4.17...8.4.18 )
---
updated-dependencies:
- dependency-name: postcss
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2022-10-17 02:19:36 +00:00
4d318ff559
Merge pull request #6022 from wallabag/dependabot/npm_and_yarn/stylelint-14.14.0
...
Bump stylelint from 14.13.0 to 14.14.0
2022-10-17 02:14:54 +00:00
ee715e8b81
Merge pull request #6021 from wallabag/dependabot/npm_and_yarn/babel/preset-env-7.19.4
...
Bump @babel/preset-env from 7.19.3 to 7.19.4
2022-10-17 02:10:08 +00:00
1d9137a343
Bump stylelint from 14.13.0 to 14.14.0
...
Bumps [stylelint](https://github.com/stylelint/stylelint ) from 14.13.0 to 14.14.0.
- [Release notes](https://github.com/stylelint/stylelint/releases )
- [Changelog](https://github.com/stylelint/stylelint/blob/main/CHANGELOG.md )
- [Commits](https://github.com/stylelint/stylelint/compare/14.13.0...14.14.0 )
---
updated-dependencies:
- dependency-name: stylelint
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2022-10-17 02:06:24 +00:00
7f31603203
Bump @babel/preset-env from 7.19.3 to 7.19.4
...
Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env ) from 7.19.3 to 7.19.4.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.19.4/packages/babel-preset-env )
---
updated-dependencies:
- dependency-name: "@babel/preset-env"
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2022-10-17 02:05:59 +00:00
f994ab8b5d
Add domain_name to entries api endpoint
2022-10-16 18:36:41 +03:00
e67e557721
Merge pull request #6016 from weblate/weblate-wallabag-messages
2022-10-13 07:13:46 +02:00
6f750a3b66
Translated using Weblate (Italian)
...
Currently translated at 82.3% (476 of 578 strings)
2022-10-13 00:29:42 +02:00
3589aafbff
Merge pull request #6015 from weblate/weblate-wallabag-messages
...
Translations update from Hosted Weblate
2022-10-12 09:05:31 +02:00
6569d15297
Translated using Weblate (Italian)
...
Currently translated at 82.5% (33 of 40 strings)
2022-10-11 23:29:17 +02:00
a4ea04c9db
Merge pull request #6013 from wallabag/fix/random-failing-test
...
Fix random failing tests
2022-10-10 09:43:19 +02:00
53574f05d5
Fix random failing tests
...
Looks like `20minutos.es` sometimes does not return the expected language.
Switching to `elpais.com` fix the problem.
2022-10-10 09:15:26 +02:00
cb8f50307c
Merge pull request #6011 from wallabag/dependabot/npm_and_yarn/eslint-8.25.0
...
Bump eslint from 8.24.0 to 8.25.0
2022-10-10 07:09:50 +00:00
4f16640d90
Merge pull request #6012 from wallabag/dependabot/github_actions/dependabot/fetch-metadata-1.3.4
...
Bump dependabot/fetch-metadata from 1.3.1 to 1.3.4
2022-10-10 09:06:24 +02:00
a34750b5ee
Bump dependabot/fetch-metadata from 1.3.1 to 1.3.4
...
Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata ) from 1.3.1 to 1.3.4.
- [Release notes](https://github.com/dependabot/fetch-metadata/releases )
- [Commits](https://github.com/dependabot/fetch-metadata/compare/v1.3.1...v1.3.4 )
---
updated-dependencies:
- dependency-name: dependabot/fetch-metadata
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2022-10-10 02:16:51 +00:00
3b1e4e027b
Merge pull request #6010 from wallabag/dependabot/npm_and_yarn/sass-loader-13.1.0
...
Bump sass-loader from 13.0.2 to 13.1.0
2022-10-10 02:10:31 +00:00
1dc6e88cd2
Bump eslint from 8.24.0 to 8.25.0
...
Bumps [eslint](https://github.com/eslint/eslint ) from 8.24.0 to 8.25.0.
- [Release notes](https://github.com/eslint/eslint/releases )
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md )
- [Commits](https://github.com/eslint/eslint/compare/v8.24.0...v8.25.0 )
---
updated-dependencies:
- dependency-name: eslint
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2022-10-10 02:06:09 +00:00
4c79004d84
Bump sass-loader from 13.0.2 to 13.1.0
...
Bumps [sass-loader](https://github.com/webpack-contrib/sass-loader ) from 13.0.2 to 13.1.0.
- [Release notes](https://github.com/webpack-contrib/sass-loader/releases )
- [Changelog](https://github.com/webpack-contrib/sass-loader/blob/master/CHANGELOG.md )
- [Commits](https://github.com/webpack-contrib/sass-loader/compare/v13.0.2...v13.1.0 )
---
updated-dependencies:
- dependency-name: sass-loader
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2022-10-10 02:05:50 +00:00
639bba031f
Merge pull request #6004 from nexxai/master
2022-10-04 08:12:26 +02:00
6da76ffaae
Typofixes
2022-10-03 18:31:43 -06:00
ed777871c0
Merge pull request #6003 from wallabag/fix/auto-merge-js-deps
...
Allow auto merging of Dependabot JS minor or patch
2022-10-03 09:55:11 +02:00
f2f542d093
Allow auto merging of Dependabot JS minor or patch
...
Reducing the time consuming of merging deps which shouldn't break the project
2022-10-03 09:39:31 +02:00
